Symptom
The symptoms of this can be seen in the show running configurations.
What will be seen in the show run is the following:
sh run | sec crypto pki certificate pool
crypto pki certificate pool
! ('certificate ca' cmd has been deprecated. Downloaded
! Trustpool certificates should be re-downloaded
! using 'crypto pki trustpool import url ')
The above cannot be removed.
Conditions
This day1 issue and will affect all releases and platforms.
This is an issue with the pki trustpool infra.
All devices which have the below config will be affected
crypto pki certificate pool
The steps to reproduce this issue are the following:
1) no call-home service enabled.
2) reboot.
3) call-home automatically added by IOS-XE on boot.
4) wait ~2 weeks.
5) "crypto pki certificate pool" automatically appears in the running-config
(call-home calls home and updates the trustpool).
6) "crypto pki certificate pool" can't be removed after that.
Workaround
There is no workaround for this.
Further Problem Description
This issue would be a cosmetic issue for most cases unless you were using a script that depends on your configuration being an exact match.
