• We can remove an old expired certificate the same way it was done for a TDE database outside of an AG from all participating replicas:

    USE [master];GODROP CERTIFICATE ExpiredTDECert;GO

    Please check that you Availability Group is healthy and the TDE in synchronized state after you have renewed the TDE certificate. Keep the new certificate in a secure and reliable storage so you would be able to restore your TDE database in case of disaster or migration.

    Note: the process of renewing certificate is very similar to the initial activation of the TDE for a database. Also, before doing any manipulations on the AG, make sure that the AG is healthy, and databases are synchronised.

    Note: make sure that you keep a backup of an old certificate in case you will need a restore database to the point in time before we switched the encryption certificate.

    Don't forget to
    ALTER DATABASE [MySecretDatabase] SET HADR RESUME;
    GO

    otherwise your secondaries will be in paused state.

    Alex S