Received new root and intermediate certs from DigiCert. Tried to create new server objects so that I could create a new CSR. Failed because the new certs look like the ones on the current server object. My sense is that I just need to remove the current cert from the repository, use the "get" cert feature to update the root and intermediate certs and generate a new CSR. Then complete the cert when signed, tell the vpn clients to use the cert and install policy. Sound right?

That all sounds correct to me.
You might also need to double-check the VPN settings on the gateway object/community to ensure certificates from that CA are trusted.

Thanks. I'll update my post after we do the work on Wednesday.

Worked out pretty much as intended.

1) Removed the current cert from the repository which blanked the VPN clients selection. There some warning and push configuration messages.

2)  Opened the trusted CA server object and used the Get button on the OPSEC PKI Tab to install and accept the new root cert.

3) Repeated step 2 for the subordinate CA.

4) Used the add button on the IPSEC page to create a new cert. You'll add a nickname and in our case it was important to pick our subordinate CA in the "CA to enroll from". First time we selected the root and we received an error telling us the cert chain was off.

5) Pushed the generate button and added our DN.

6) Another member of our team took the info and processed the cert with DigiCert.

7) Used the returned, signed cert to complete the enrollment.

😎 Switched the VPN clients to authenticate using the new cert.

9) Pushed policy for good measure.