Your application cert ID is like a password for your keyset. If you think your keyset has been compromised, you can change your cert ID at any time. Creating a new cert ID doesn’t affect existing user tokens that have already been created for your application.
Once you generate a new cert ID, your old cert ID expires at the end of the grace period that you specify.
The grace period can be a value between 0 (expires immediately) and 4000 days. Use 4000 if your company's security standard is to always have two cert IDs available, so that you can switch between them as needed without signing in to the eBay Developers portal.
A typical grace period is between 30 and 90 days. During the grace period, both cert IDs are valid, so that you can deploy your application changes and revoke older tokens as needed.
You can’t use the new cert ID to revoke user tokens that you created with the old ID. If you plan to revoke older tokens, make sure you do so before the old cert ID expires.