Replace ext server cert with new ext server cert issued by same CA.

We use a eDir external CA and I need to redo the server certificates size 2048
Once I have created the certificates and run the zman sacert for each of the 4 primary servers in the zone, I need to refresh all the devices
in order for the newly imported Primary server certificates to be sent to all the workstations / devices as configuration data.

I then need to enforce the new certificates with novell-zenworks-configure -c SSL -Z
Do I only do this once all 5000 devices have been refreshed and If I enforce the certificates prior to all devices being refreshed, will those that have not
yet been refreshed still be able to communicate with the servers and receive the new certificate info.
I would hate to refresh and enforce the certificates and find I have lost comms with lots of devices.

We have a combination of ZCM 11.2 and ZCM 10.3.1 agents running. I want to sort all the certificates out before I update the majority of agents out there from ZCM 10.3.1 to 11.2