CGAs can be non-persistent because:
The operator forgot to configure an RSA key pair for SeND, therefore, the CGAs were generated based on an auto-generated RSA key pair.
The operator forgot to synchronize an RSA key pair file to the stand-by CPM and a switch-over happens.
The CGAs were generated by a software version not having persistent CGAs (such as, ISSU).
The system was booted from a configuration file generated by a software version not having persistent CGAs.
Key rollover
You can import a new RSA key pair for SeND with the key-rollover keyword. This results in the regeneration of all CGAs on all interfaces.
Exporting the SeND RSA key pair
Another method that does not result in the regeneration of the CGAs is to export the RSA key pair that is currently in use by SeND to the system-pki directory via an admin command:
admin certificate secure-nd-export
This command writes the RSA key pair to the file cfx:\system-pki\secureNdKey in encrypted der format.