Over the last week or so, I've worked with an engineer from Novell to
resolve some certificate errors and I'm almost all the way fixed at this
point. I switched from an internal to an external certificate and after
installing my CA on my existing satellites and workstations, all appears
to be well.

However, I'm finding that my agent packages still hold the old
(incorrect) certificate. This despite running both the
CreateExtractorPacks command line and trying to edit the deployment
packages from the ZCC. Manually extracting the files from the packages
confirm that they're not including the updated (working) certificate.

Browsing my primary server, I see a ca.der in the \conf\security folder,
but it's the older, incorrect one. And yet the server.der in the same
folder is the correct one, signed by the "missing" CA. Is that ca.der
what's used to sign the certificate in the agent package? And, if so,
can I just replace that with the updated working CA certificate?