This post mainly refer to Cisco Catalyst switches and this I have tested on production network without any issues. But again proceed with caution!!. Cisco recommend to have a CA trust point configured on all the Cisco devices for secure communication. But if you do not have one switch will fall back to a self-sign certificate which we need to renew over the time. This is the full article from Cisco https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html
Here are the steps for how to do it in short form,
*** SSH into the switch or console connect.
***show crypto pki certificates —– to get the certificates and show you all the certificates. This will show you all the switch certs and you will be able to locate expired one.
***Locate the ID of the cert that has expired date and it will usually show you something like TP-self-signed-51XXXXXX
***Switch to privilege mode
***no ip http secure-server ——-disable https server before do any renewal
*** no crypto pki trustpoint TP-self-signed-51XXXXX —- this id you were located running first command
***ip http secure-server ———re enables the https server and generates a new trustpoint and certificate
*** do show crypto pki certificates – check the new cert is there with new validity period
Then you are done.