The app server has an inbuilt CA that can generate certificates for other devices but also for itself. The chain is always the generated server certificate and the issuing CA certificate. Even if the App Server generates a certificate for itself there are two different certificates. The CA certificate (root certificate) withstands bigger lifetime (usually 7-10 years) AND the server certificate that is used by the running services (IPO, Webserver, 1XP, WebRTC, …) with a lower lifetime of usually not more than 13 month. The clients trust the CA (certificate) and all servers that use certificates generated by that CA, as long as the correct SANs are set. If the CA stays the same and generates a new certificate for the service, the client will go on to trust the server.
BUT… this is only the case if you create the certificates in WebControl
7071). In security settings (regardless if IP500 or Linux systems) you can only generate real self signed certificates. Those don’t have a chain. The server and the issuer are the same and have the same lifetime. If you renew the certificate the issuer certificate (even if it is not a real issuer) will be new as well and the clients don’t have that in their certificate store. So they will not trust that certificate.
You have to distinguish between the inbuilt CA of the App Server (or Primary Server) and the services (IPO, …) running on that server.
Other than 96xx series that would load new CA certificate during a reboot, J series phones only load new CA certificates if you reset them. Very annoying in my opinion.
I understand that this can be confusing, but I decided to work with that and got a good expertise in that topic, especially necessary as I so much remote worker stuff (mostly with ASBCE) where you want encrypted connections and therefore need certificates.
