On page 380 of the documentation, 36.3 "Replacing an External Certificate with a New External Server Certificate isuued by the same Certificate Authority", point 7 "Refresh all devices", it it say :

"If any device is not reachable during the refresh, you must first establish a connection with the device, then run the following command at the console prompt of each device to reestablish the trust between the device and the zone:

zac -retr -u ....


Not sure I understood well because I m not english native.

Si does it means that all workstations that were not powered on during the refresh will not be able to communicate with primary servers when they will be online again until the zac command is lauched manullay on these worksations???