When we installed our SCCM environment a few years ago, we used sha1 as an algorithm for the certificate templates. We since than upgraded our domain controller which hosts the CA to sha256 as part of upgrading our active directory to 2016.
Our setup was listening on both http and https on our intranet and https on internet facing MP. Since we use Bitlocker on our computers and 1910 is integrated with MBAM we wanted to migrate our environment to https only. the transition went smooth mostlywhere our computers that are domain joined use the new sha256 certificates to talk to our MP's and the policy "Automatic certificate management" is enabled. So even when those computers are on the internet they are able to connect to the DMZ MP andreport + get the deployments.
Our problem is with our workgroup computers. I didn't deploy the new trusted root CA to the workgroup computers which means that it gets invalid certificate. I understand that I will need to manually deploy new certificates to these computers but now I'm facing another problem: The next time I'll be required to renew my CA certificate I will have to reissue new certificate for those computers because the chain will be broken.
How can I automate this process? I want to know when an issued certificate, be it for a domain joined or workgroup, intranet or internet, server or client or trusted root. It will be renewed automatically after the CA is renewing it's certificate or a clientcertificate is expired.
I understand that renewing IIS and DP certificate is a manual thing but beyond that I don't believe people are manually renew their IBC computers.