I have run into this issue today when trying to replace the outbound certificate on one of my lab gateways.
New certificate was issued by following sk108641 How to Renew or Import a new HTTPS Inspection certificate
Changes were saved, Policy published and installed and the gateway rebooted (reboot was not in the sk).
New certificate was distributed to the clients and installed.
Still am seeing original certificate in the property of the gateway's HTTPS Inspection:
As well as in the clients accessing the Internet through this gateway.
My questions are: what should be done to actually replace the cert on the gateway and if there is a CRL function that could be used to bag the old one.