A number of digital certificates were misidentified as either client or server certificates by the application groups that sent them.  The certificates are actually Root or Intermediate CA's. Can they be renamed to better reflect what they are used for per the company's security policy?

DIGICERT names cannot be re-named. You will have to export the certificate, delete the certificate and re-add it with the desired digicert name. 

Example: 
1.  Export the certificate to a dataset: 
TSS EXPORT(acid) DIGICERT(digicertname) DCDSN(datasetname) FORMAT(PKCS12DER) PKCSPASS(password) 
**Note: FORMAT(PKCS12DER) & PKCSPASS(password) are only needed if the certificate has a private key.
2.  Delete the certificate. 
TSS REM(acid) DIGICERT(digicertname) 
**Note: If you remove a certificate from the owning acid you remove it from Top Secret.  This means it will be removed from any keys it is attached to.
3.  Add the certificate back under a new name. 
TSS ADD(acid) DIGICERT(newdigicertname) DCDSN(datasetname) PKCSPASS(password) LABLCERT(lablcertname) 
4.  Add the certificate back to any keyrings it was added to.
TSS ADD(acid) KEYRING(keyring) RINGDATA(owner_of_cert,cert) USAGE(personal or certauth) Default => If it is gong to be the default

LABLCERT names can be changed with a: 
TSS REP(acid) DIGICERT(digicertname) LABLCERT(newlablcertname)