I did not see a lot of content in wmusers about this so I thought I’d post my findings. This may prove helpful to some of you who also implement secure IS-to-broker communication.
When it comes time to renew certificates used by the broker server and Integration Server, there’s an undocumented (but critical) step you need to implement. SAG indicated that broker clients (e.g. triggers) actually contain references to certificates. So when these certs are renewed, those triggers have to be deleted in MWS. And when the IS restarts, the new certs will bind to the newly-created broker clients.
SAG has indicated that these steps are not documented; but that Product Development assures this is the proper process.