Running SA2500 on 7.1R1.1 with host checker policy set to look for machine cert and realm authentication looking for user cert. My certs are coming up for renewal on 1/24 and am wondering how in the world my road warriors are going to be able to authenticate once I renew. The only thing I can think of is to disable the host checker policy and remove the client-side requirement so they can log in and refresh group policy so that the autoenrollment kicks off to automatically renew the certs. I can't be the only one that has run into this issue, so please, let me know how you solved it.
I think this should work:
Add the new CA-cert as a "trusted for client authentication" certificate and add it to your host check rule. If you use CRL for your old CA, turn it off until all machines has been enrolled a new certificate from the new CA..
It ended up being really painless to do. I renewed all of my certs in the chain (even the root) and exported them to the IVE. I now have my old CA chain listed as well as my new CA chain listed. On 1/25 I'll delete my old one in order to clean up. OCSP and CRL are working as expected with the new certs. Thanks for the feedback.