Our PKI team just dropped a bomb on me, they are migrating the PKI servers to a new site next week (which means a new CA hostname). That means I can no longer renew the AD certificates in our installed profiles, which means "renewal" now requires installing a whole new profile. That carries with it the very real risk of a failed CSR, which means the OS removes the old cert and profile and the user is dead in the water since all of our networks require that cert/profile. Very dangerous.
Has anyone run into this before? I'm wondering if there are some creative options to address this, like altering the CA name the OS will use to renew without reinstalling the profile, or creating a CNAME in our DNS to redirect the old CA hostname to the new hostname.