We are switching to a new third party payment system that requires to provide the SSL certificate of any client interacting with their service (our app in this case) for them to register and approve it. This means, to avoid payment service interruption on our side, I'll need to create a new certificate and have it trusted by the payment provider while the current one is still valid, then update it before expiration.
The Heroku CLI provides few methods to manage certificates: certs:add, certs:remove, certs:update.
I'm not totally clear though how a certificate is "renewed". Do I just need to add the new one and remove the old one? Does certs:update do the two operations at once?
Ergo, in my case should I add the new certificate while the current one is still valid, then simply remove the old certificate once the new one is trusted? Or do I need to add the new one, update the current certificate with the new one (again once trusted), and then remove the old one? Or can I just add the new and trusted one and whenever the current one expires the new one "kicks in"?
I even tried reading the Certbot documentations (I assume that's what Heroku uses under the hood), but I'm still not entirely sure.