I have deployed a fabric network in production environment with certificates generated with cryptogen tool. Now I need to replace those certificates with ones which are generated using Fabric-CA or any other CA. What would be the correct approach to achieve this. Is it possible to do a transaction configuration update where I replace the existing Certificates with the new ones and what will happen to the existing transactions (blocks) which are signed by the old certificates (cryptogen certs).
Any help would be appreciated.
Yes, it is a mess, but you can do that. You should update each organization's CA certificates (MSP and TLS) one by one for the ordering service channel and each one of the affected channels. With caution, order and saving all your certificates and keys (the old and the new ones, as you will need different signatures in different steps). The process involves getting the configuration, transforms via configtxlator, signatures and transactions; in a similar way to creating a new channel or adding a new organization.
In fact, this is what should be done in a regular operation when your CA certificates expire.
And, as a reminder, in production environments, you should use always CAs (avoid cryptogen, as it does not allow you to manage identities). Use always CouchDB for the state (not LevelDB). And use always Raft for the consensus of the ordering service.
EDIT: If you are in lazy mode and the new CAs don't exist yet, you can try also to configure your new CA with the old CA certificates from configtxgen. You are not going to be able to manage or revoke old identities/certificates, but may be easier than updating your network.