Better Understanding of the Device Certificate Process

• Would like to get a better understanding of the certificate process in APIC-EM.  What happens if we say Device Certificate = False.The PnP communication takes place in clear text. Need a cert to establish ssh access, how does that happen as that is typically an interactive process. 
• If we do say "True" we now have a PnP certificate on the device.  What if the APIC-EM provisioning step is a one time thing.  Should we leave the cert there.  What if we want to create another certificate for general ssh login access different from the PnP cert.
• Configuration Guide for Cisco Network Plug and Play on Cisco APIC-EM - Configuring Cisco Network Plug and Play [Cisco …

 Check the Device Certificate check box to apply the device certificate on the device. Cisco Network Plug and Play automatically generates and deploys the PKCS12 device ID certificate. Device Certificate is not supported on access point devices.

There are two ways a certificate will be created on a switch (not access point).

1) If you click on device certificate, then APIC-EM will create and download a certificate to the device.  This  certificate can be used by SSH etc.

2) If you have "ip https server" in the config, then the device will create a self signed certificate.

 #1 is probably preferable.

 If you wanted to add/create other certificates, you would need to do this outside of PnP, possibly using an EEM script etc.