Is there a best approach to replacing or renewing digital certificates.

Release: TOPSEC00200-16-Top Secret-Security
Component:

There are a couple of approaches.

1. Backup the old certs to datasets, delete the certs, add new certs.
2. Keep the old certs, add new certs with different unique names, remove the old certs from keyring and add the new certs to the keyring. Since you don't delete anything, you can put it back easily.
3. Use the TSS RENEW command, but can only be used against certs created by CA Top Secret and not a 3rd party Certificate Authority.
4. Use TSS REKEY/ROLLOVER if the new certificate needs to added to many keyrings.

There are benefits to each approach.
1 Is easiest to do, but backing out is not as easy as 2.
2 Is second easiest to do administratively but easiest to blackout.
3 Quickest method to renew but the certs must be created by CA Top Secret.
4. Hardest to back out but easiest if you have thousands of keyrings you need to add the certificate to. If you don't have thousands of keyrings and only have a few keyrings, 1 or 2 is a easier/better option.