A certificate renewal is the combination of a revocation (of the existing certificate) and an issuance (of another certificate).
Note that XenMobile will first attempt to obtain the new certificate before revoking the previous one, in order to avoid discontinuation of service if the issuance fails. If distributed (SCEP-supported) delivery is used, the revocation will also only happen once the certificate has been successfully installed on the device; otherwise, the revocation will occur before the new certificate is sent to the device and independently of the success or failure of its installation.
The revocation configuration requires that you specify a certain duration (in days); when the device connects, the server verifies whether the certificate’s NotAfter date is later than the current date minus the specified duration. If it is, a renewal is attempted.