The CA_MSSO private key which we are using for the mobile API Gateway calls is going to expire.  The Alias name should always be  ca_msso as per the document. Because as this a production, we can't wait till it expires and we wanted to it to renew ahead. If we create a new private key with the same alias and map it to the policy, will that be okay? Or do we need to delete the existing key first?

Component: CA Mobile Gateway

You will need to delete and recreate the existing CA_MSSO private key.  One this has been done and a new private key is created you will need to update the polices that reference this Key as well. 

You will need to update the "Sign Certificate" on the following policies and lines. Note: These line numbers are for MAG 4.2. Other versions the line numbers may vary. You can look for the sign certificate assertions in each policy to get the correct lines.

connect/device/renew line 27

connect/device/register line 55 and 110,

connect/device/register/client 46 & 54

Your user will need to validate and register with the new key when they log on.