I have deployed a custom truststore and keystore to my endpoint servers. I need to understand how agents get the new signed certificates. 

Using a custom keystore and/or truststore with endpoint servers does not contain a signed agent certificate as these are often unique to individual endpoints.

You can deploy agents with a custom truststore that will trust the agent certificates that are installed into the local OS store before or after the agent installation. 

If you are using a custom truststore then you must separately install custom signed certificates into the local OS store/keyrings on windows and mac endpoints respectively. The custom certificates are not deployed with the agent package. These will typically be in .pfx or .cer format, and should have a 'purpose' of 'client authentication'. Please consult your PKI administrator for more information. 

For an overview of deploying 3rd party certificates to endpoint servers and agents please see the following:

Configuring Endpoint Prevent Servers to Use Custom Certificates (broadcom.com)