Updating servers with new SHA256 certs (a root and an intermediate).  The new SHA256 certs have to be installed on the Mainframe to match the servers.  We have the SHA256 certs on our CERTAUTH acid, but have to add them to the keyrings of every CICS acid that we have.   There are over a hundred acids across several LPARs that need the new certificates.  The Certificates are from a third party CA(Certificate Authority) and Top Secret is the ESM.

 Is there a way to add the certs to an LPAR directly so the acids do not have to be updated individually?  

Release : 16.0

In the very beginning of setting this up you may have been able to use a Virtual Key Ring (Extract Certificates from a Virtual Keyring).  That would mean that all the certificates to authenticate would all be owned by Certauth and there would be no actual Key Ring on the acid(s).    In order for a virtual keyring to be used, the application must support a keyring name of (*).
At this point the administration to change this far exceeds the benefits.    
There is no way to populate Key Rings enmasse.