Microsoft
MicrosoftChrispyyy : I also think that a new SCEP Profile will be good, so you have both certificates in parallel and no downtime. Additionally, then you can make a staggered enrollment, especially in larger environments: When changing a SAN in a SCEP configuration profile, all clients in scope will immediately request a new certificate (it is compiled in a table here, I don't know of a documentation in Microsoft's docs: Re-enrollment trigger | SCEPman), which can place much load on the SCEP service.
But then again, the whole underlying Certifried authentication issue applies to user certificates whose CA is in the NTAuth store. Microsoft RAS is the only VPN solution I know of that requires the CA to be in the NTAuth store. Maybe you switch to another VPN solution like Azure VPN (Configure Azure VPN Client - Microsoft Entra ID authentication - Microsoft-registered App ID - Windows - Azure VPN Gateway | Microsoft Learn)? Then, you could remove your CA from the NTAuth store, maybe switch to Full Enforcement mode, and don't need the SID in your certificates.
