Hi

There is 2 types of certificates, one type is called certificate trust. If the expiring cert is a TRUST (i.e. "CAPF-trust", "CallManager-trust"), you can just click on it, verify that the valid date/time range is expired, and delete it.

The other type is called certificate. If it is certificate type = "certs", then click on the file, and there should be a 'regenerate'option. This will regenerate the certificate and also recreates the new

"CAPF-trust" or "CallManager-trust" certificates with new date/timeranges.

If you are using a Certificate Authority(some people use CA to sign the Tomcat certificate), instead of regenerating the certificates you'll need to click on the certificate, download the CSR, get it signed by your CA and then upload it to CUCM.

So as long as the expired Tomcat certificate is not CA signed certificate, it will be safe to regenerate them.

The impact of the delete/regenerate operation above is minimal. For example, if you delete the trust-cert, then regenerating the corresponding cert will recreate those trust-cert. If you re-generate the cert (for example Tomcat cert), the impact is that you won't see the newly generated certificate when you accessing the CUCM GUI page until

you restarted the 'Cisco Tomcat' service.

Also you don't need to wait before the certificates expire before regenerating.

To check details

Login to platform administration webpage Security > certificate management >
display certificate own certificates > Tomcat > next & IPSEC > next 

If this is production server, you may contact Cisco TAC before proceeding.

Regards

Ronak patel

Please rate helpful posts by clicking stars below the answer.