Configured certificates, CRLs, and keys are cached in memory before they are used by the system.
Every certificate/CRL/Key has one cache copy system-wide.
For a CA certificate and CRL, the cache is created when there is a ca-profile and when a no shutdown is performed, and removed.
For an ipsec-tunnel or ipsec-gw using legacy cert and key configurations, the cache is created only when the first tunnel using it is in a no shutdown state, and it is cleared when the last tunnel that used it is shutdown.
For an ipsec-tunnel or ipsec-gw using cert-profile, the cache is created when the first cert-profile using it is in a no shutdown state, and removed when the last cert-profile that used it is shutdown.
If a certificate or key is configured with both a cert-profile and legacy cert or key command, then the cache is created when the first object (a ipsec-gw, ipsec-tunnel or cert-profile) using it is in a no shutdown state and removed the last object using it is shutdown.
To update a certificate or key without a shutdown ca-profile or ipsec-tunnel/ipsec-gw, there is a CLI command (admin certificate reload) to manually reload the certificate and key cache. For details about reload, see the command description for admin certificate reload.