At the moment, only way to update keyalias certificate is to re-create key alias. This can be challenging if keyalias is in use by target server. Option to update keyalias will help a lot.
Seems supported: https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations.environments.keystores.aliases