Hi Abhi,

1) If it is a SAP related system certificate, than SAP will update it. Since SCP-CI is a subscribed app and the provider is SAP itself, whenever there is an updated certificate it will reflect all instances that subscribe to this application. You could manage/download any certificate stored on the keystore using this path "/itspaces/shell/monitoring/Keystore" of your "tmn" application url. (i.e: https://<your sub-account>-tmn.avt.us1.hana.ondemand.com/itspaces/shell/monitoring/Keystore)

2) All S4Hana Cloud system integrations need to go thru API Business Hub. The way I see this is that you would need an API key and the trust the certificate from your api landscape URL. Then call the relevant OData service with the API Key. When you open a service definition (need to be logged on to the api business hub), the system will have an API Key button to generate one for you and also a button to generate the related code to call the service.

3) The communication channel will use the certificate alias name you entered while uploading the certificate to the keystore.

Side note: private keys are not shareable, thus no need to bother about them as they are needed only while encrypting the HTTP channel. And this is done automatically by the platform. All certificates needed for the communication channel of a receiver system need to be the ones related to the public key that is embbeded into the server certificate - the same ones used by your browser.

Regards,
Ivan