I have a large customer that needs to update their client side certs (Intermediate and issuing) and are in need of some best practices and better way of doing things.

Back ground;• They are using EAP-TTLS  CHAP• Root cert expires in 18year• Intermediate cert expired on 8/31, they got it extended until 1/1/10• Radius server is Funk Steel-Belted• Need to update about 6000 devices• SOTI management software is being used• Devices 9060, 9090 WM, VC5090, WT4000

Steps they are currently doing to update certs;• Bring online a new Radius server to support new Root cert• Turn off certificate validation• Load new certs on device• Implement new wireless configuration (vlan)• Create new wireless configuration (profile) that uses new cert• Remove old profile• Turn on certificate validation

What we are looking for is processes you have used in the past to update certs in a large environment and if you know of a better security that they should be using that is easier to manage?

Thanks in advance for the help