If you have a server core instance of a server, which is how it should be as you reduce you attack vector by 70% if you drop off the GUI then when you want to update a certificate you can run into issues as you have no "GUI" and if you do not know the commands it can be akward.
So do not fear, first login to the server, and get the PowerShell prompt once there you need to run this:
certutil -store My
This will return all the certificates in the local computer store like this, however you may have more than one certificate listed.....
================ Certificate 2 ================
Serial Number: 1b409208672927a449bfff7d14e6f089
Issuer: CN=Azure ATP Sensor
NotBefore: 24/08/2020 21:20
NotAfter: 25/08/2022 21:20
Subject: CN=Azure ATP Sensor
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): <removed>
Private key is NOT exportable
Encryption test passed
Now you have this you need to run this command:
certreq -enroll -machine -q -PolicyServer * -cert <serialnumber> renew reusekeys
This will renew the certificate with the serial number specified and will reuse the keys already in use so all you need to do is replace the serialnumber from the first command with the syntax from above.
If you need a new keypair then the command is:
certreq -enroll -machine -q -PolicyServer * -cert <serialnumber> renew