Hi,
I email TAC about this issue and this is the answer they gave to me:
If within the same trustpoint, this can be done by re-enrollment with the CA to get a new certificate If with a new truspoint (different CA), you need to add the trustpoint config and enroll with it.
For specifying which certificate to use, you should configue the tunnel-group for that.
Hope this helps.
Thanks