Regarding "Also, I know that CP uses the RFC 1751 to create the fingerprint in human text, but do they have a tool to determine the fingerprint without installing/replacing the current certificate on a gateway?":
--> Maybe, I've never found one. So I used the C code from that RfC, compiled it and used it for converting in both directions. Please take care to use the SHA-1 fingerprint of the root certificate of your VPN GW SSL certificate chain. Not the fingerprint from the actual server certificate or any of the intermediate ones.
$ ./rfc_1751.exe "f9:02:bc:09:9a:9e:58:dc:28:6f:f6:4c:54:dd:71:e0:cf:29:f2:30"
Output: WEAN GAM ANT PRY SURF CURL MEW FEUD HALO LAIR SAUL TUBA
$ ./rfc_1751.exe "WEAN GAM ANT PRY SURF CURL MEW FEUD HALO LAIR SAUL TUBA"
Output: F9:02:BC:09:9A:9E:58:DC:28:6F:F6:4C:54:DD:71:E0
Back in R77 days, I remember it was possible to import the new certificate in SmartDashboard, NOT clicking ok or save, than copy the new fingerprint it shows to you, and than click cancel. Never tried this with R80+ and SmartConsole, maybe it is still working this way.
And as CP is only checking fingerprint of Root CA, there is no need to update trust on clients when you stay with that Root CA while changing server cert every year.