I asked TAC for it and they just sent me the CAPF doco...
However, I found:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-7/exwy_b_mra-deployment/exwy_m_provisioning-mra-devices.html
[image: image.png]
But it seems to suggest only your internal CA needs to be in
@Jonathan Charles one very interesting thing you
mentioned
" *Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
gets the activation code it downloads those certs into its trust store.*"
Would you happen to know where that is documented, and if so share the link
? I was not
OK, TAC never responded to me, but I found the solution I did a packet
capture from the phone and saw it come back with an invalid CA for the
Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
Phone-Edge-Trust on the CCM Publisher and the phone registered.
Phone-Edge-Trust u