After INSERTing new certificates and KEYRING into ACF2 is a REFRESH or REBUILD required to activate the new profile records? 

Whether a REBUILD command needs to be issued or not for digital certificates depends on if it is related to a certificate (CERTDATA record) or keyring (KEYRING record) and where commands are being issued (for LPARS sharing a database).

For certificates (CERTDATA records):

• Rebuilds do not need to happen on the system where the certificate related command took place. The tables are rebuilt dynamically.
• The following commands need to be issued on all systems where the command did not take place that share the ACF2 database:
  
  F ACF2,REBUILD(USR),CLASS(P)
  F ACF2,OMVS(CERTDATA)

For keyrings (KEYRING records):

• Rebuilds always need to be done regardless of the system. The following commands must be issued:
  
  F ACF2,REBUILD(USR),CLASS(P),DIVISION(KEYRING)
  F ACF2,OMVS(KEYRING)

For the sake of simplification, it is recommended in most documentation to always perform the following commands after any certificate or keyring related changes to assure that all of the changes are activated:

F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS

Note that these commands will rebuild all user profile record and OMVS tables which may not be desired for sites with large amounts of OMVS users. If this is the case, then it is recommended to issue these rebuild commands only once at a set time (typically overnight) for all user profile record related changes.

See USER Profile Records in the ACF2 documentation for a table describing when these records need to be rebuilt.