We have IAP cluster that makes guest captive portal authentication to a ClearPass server in controller-initiated mode. If it makes any difference, IAPs are maned by central. Before a permanent public certificate arrived, I had to install a local CA singed CP cert on IAP. The service worked as it should. One I got my shiny DigiCert CP cert and installed it on IAP cluster, for the guest part it went nuts. Guest did get the proper initial role but policies in that role did not work as expected, to say the least. For the most devices Captive portal redirect was not working. Some web pages were accessible without authentication. Even when deny policy was moved to the top, some web pages were still opening. The resolution was to reboot all IAP cluster. It is a cluster of 8 305 IAPs running 8.5.0.2. I am wondering if this is an expected behavior. There is no waring of any kind that a certificate repayment must be followed by a reboot. Even if it is a feature, not a bug, is this acceptable by community?