Auto-generated CA certificate on CAPsMAN is quick and dirty way to get you up and running with certificates. It would be better to implement more advanced PKI for devices in your authority, e.g:
- generate root CA certificate, keep it somewhere safe, not on any CAPsMAN
- issue CA certificate signed by root for each CAPsMAN, install on each CAPsMAN along with trusted root CA
- have CAPs trust your root CA (*)
Now CAPsMAN can sign certificate requests from CAPs with its sub-CA. CAPs will connect to any CAPsMAN with certificate signed by root CA, and CAPsMAN will accept CAPs with certificates generated by any CAPsMAN, provided that CAP certificate chain ends with trusted root CA.
Unfortunately at the moment (*) from the above does not happen automatically - CAPsMAN sends only its own CA certificate to CAP when signing certificate request (CAP installs this CA certificate as trusted). Sending complete CA chain to CAP can be considered for implementation.
There is also quick and dirty way to do what you want - just export the certificate on your old CAPsMAN along with its private key. You do this by: /cert export-certificate 0 export-passphrase=12345678, it will generate 2 files - certificate and key. Then import it in new CAPsMAN. Beware - auto-generated certificates include device's MAC address in CommonName. Currently this is not being checked, but this can change.
Do you know any trick to import the trusted root CA in recent versions of ROS 6.28+?
I need to upgrade an RB2011 to RB3011 and the import of the trusted root CA goes successfully but it´s not recognized as an CA. It has only KT flags and misses the A flag. Inside CAPs manager when selecting the CA it does not appear.