Facts:
1. iOS 12 is forcing us to remint our certificate from sha-1 to sha-2.
2. My Internal Cert expires in 2020.

Questions:
Because of iOS and Android devices and their mobility. Should I consider changing from a internal to an external cert? Is anyone else doing this?

Is it safe to migrate from an internal CA to and External CA? Has anyone done this and have a process for it.

If I stay with the Internal CA which expires in 2020, Has anyone done this and have a process for it? I guess I'm forced to do this sooner now that we have a SHA-2 requirement.

I presume if the CA and certs get screwed up, my 2500 plus workstations will no longer communicate to the ZCM servers. Which will make for a week...

Thanks