To Renew the certificate on your PAN Traps ESM, there are 2 processes.
First you need to update the certificate in the IIS Default site where ESM Console is running. you can install the certificate in the web folder.
Secondly to update the core module (otherwise your Traps agents will not connect), you need to.
Launch MMC and copy the certificate you installed in IIS into Enterprise Trust and Personal.
Then run the following commands from a command prompt NOT powershell
netsh http show sslcert
take note of the Certificate thumbprint you installed in IIS above
now run the below to delete the current certificate binding
netsh http delete sslcert ipport=0.0.0.0:2125
and the below to create the new binding, add the cert hash from the above command to the below
netsh http add sslcert ipport=0.0.0.0:2125 certhash=TYPE YOUR CERT_HASH_HERE appid={935e55e3-8b9d-4b95-954c-423626f887f9} clientcertnegotiation=enable
Thats it your agents should be able to connect again 🙂