Not addressing your enrollment question but your statement...
I understand that new certificate needs to be installed and assigned prior to me changing IP and Hostname.
I believe is wrong. Before you do anything regarding public certificates you should have your networking & DNS — both internal (LAN) & external (Internet) fully working and setup. Only then should you proceed with installing a public certificate.
Here's what I've done
I'm not using a signed cert only trusted
Server is using domain name internally
Server is on LAN behind NAT device
Ports PM uses are open and forwarded to the osx server
Server name resolves both internally and externally
With correct ports open and forwarded and the name resolving
I can push settings to users internally and externally
As far as I'm aware once the cert expires you have to re enrol the devices
Same deal if you're changing the cert