Can the ACF2 REKEY/ROLLOVER subcommands be used to renew a certificate that is about to expire?