Only a single verification can be active at a time on a Chef Server, so nodes will not be able to check in if you change the Chef Server's domain/certificate and do nothing else.
You should keep the following in your back pocket to add to /etc/chef/client.rb. If all else fails, it will allow your client nodes to continue checking in:
I would recommend testing the new certificate on a separate, non-production Chef Server system.
If a certificate can be verified by
knife, it will also be successfully verified by Chef Client.
Just set up the server with the name you want and the new certificate according to https://docs.chef.io/server_security.html, then, from your workstation, do:
knife ssl fetch
knife ssl check
Then, register a test node against the same server and copy the contents of the
.chef/trusted_chef directory from your workstation into the
/etc/chef/trusted_certs directory on your test node. You may have to create it depending on how your node was bootstrapped; see https://docs.chef.io/chef_client_security.html#chef-trusted-certs
The test will then be whether or not you need to add
ssl_verify_mode :verify_none to the
client.rb file of the test node to get past the SSL handshake. If not, you're good to go and everything is working properly.