I have a question I don't stop thinking about,
If a have a certificate from a CA in a controller M1 and I replace that controller with a new M3, doing restore "flash flashbackup.tar.gz", which certificate is used for CPSec, the previous one used in M1 or some new certificate shipped with the new M3?.
I asking that because after upgrading to M3, I have had to reaprove all my AP to install a new certificate and get ready with the new master.