we have ipsec tunnels with about 150 Cisco routers that are conneted to the HQ routers through CA.
But CA is expiring within few days and we have to create new one.
This step is pretty awful cause it will unplugged the branch routers for couple of hours
The problem is that the crypto map cannot use different CA than the root one
For exapmle if I would enroll another root certificate and that pair with the crypto map, that I would be able to re-configure branch by branch
But there is no option in the IOS to do it like this
Do yo have any idea how this proccess can be managed ?