To be clear, this is the approach we would follow: Generate a new Merchant Identity certificate for the Apple Merchant Identifier on the Apple Developer website.    At this point: Apple Merchant Id: old certificate (valid), new certificate (valid) Client application: old certificate (valid)  Add the new certificate to the Client application keystore and deploy to Production.    At this point: Apple Merchant Id: old certificate (valid), new certificate (valid) Client application: old certificate (valid), new certificate (valid) 3. We can either keep both certificate and let the old one expires or revoke the old one. Could you confirm that the above approach would work without causing any outage at any point? If at point 2 we replace the old cert with the new one in HPP, rather than keeping both: Apple Merchant Id: old certificate (valid), new certificate (valid) Client application: new certificate (valid) Would it still be fine?