Symptom
Internal CA certificate chain will become invalid if we remove Old PPAN from the the deployment.
Example: if we have ise1 as PPAN and ise2 as SPAN, at some point if we promote ise2 to PPAN and remove ise1 from the deployment it will invalid all the certificates signed by ise1 as Root CA.
Those certificates will still be invalid if we re-join ise1 back to the deployment.
Conditions
If the PPAN is demoted to SPAN and removed from the deployment for any reason.
Workaround
Regenerating Root CA certificate will generate new certificate with current PPAN as Root CA.
Please note the certificates which were invalid will not be removed after generating new Root CA certificate.
Further Problem Description
