Cisco Catalyst 9800-CL platform does not contain manufacturer installed SUDI certificates. You will need to configure Self-Signed Certificates on your controller.
APs running on earlier versions and having Manufacturer Installed Certificate (MIC) issued by a SHA1 Cisco Trusted CA cannot join the controller with SHA2 SUDI certificate. During CAPWAP join process, the AP displays a bad certificate error and tears down the DTLS handshake.
Workaround: To upgrade APs, configure controller Self-Signed certificates. Once done, you can delete the Self-Signed certificates and revert back to the SUDI certificate.
This workaround does not apply to the Embedded Wireless Controller running Catalyst 9k switches. But applies to other hardware appliance controllers, such as Cisco Catalyst 9800-40, Cisco Catalyst 9800-80, and Cisco Catalyst 9800-L.
Certificate used in DTLS connections (AP and mobility) must use RSA key of size equal or more than 2048 bits. Otherwise, the APs and mobility connections will fail after reload. Run the show crypto pki certificate verbose _tp-name_ command to display the key size of the device certificate.