You can replace certificates in the key database file if you use older certificates that have shorter keys. Certificates have 2048 keys, but some older certificates have fewer keys, which makes them less secure.
gsk8capicmd -cert -delete -file cert.kdb
-stashed -label "TSM Server SelfSigned Key"
gsk8capicmd -cert -delete -file cert.kdb
-stashed -label "TSM Server SelfSigned SHA Key"
rm cert.arm cert256.arm
del cert.arm cert256.arm
run dsmsta setstorageserver SSL