I am in the middle of labbing a DMVPN environment and after getting it working with PSK, I have got it working with certificates by setting up a Cisco IOS Certificate Server and enrolling all routers.
I have noticed that my router identity certificates seem to auto refresh/enroll their certificates ok, but I am concerned about what is going happen about the validity of the root certificate which has a finite set time.
Can anyone explain what I would need to do to ensure the root CA certificate doesnt expire, or how to replace the root cert without having to delete all the certificates on all routers?
When I check out the options I can configure inside the 'crypto pki server' or '...trustpoint' for the CA, I cant seem to find anything that makes sense, or change anything as its in use.