If you have many to do, you can create the second certificate on the tunnel server and activate it. The tunnel server will happily run with the two certs active.
The next part assumes that you have come consistency to your tunnel clients: in this case, there's only one tunnel configured (identified in the <1> section, and you're creating the new tunnel in section <2>)
Create a hub.cfx file with:
<tunnel> overwrite
<clients> overwrite
<1> overwrite
active = no
</1>
<2> overwrite
active = yes
host = YourTunnelServerIP
port = YourTunnelServerPort
heartbeat = 1801
cert = certs/client2.pem
password = YourHashedCertPassword
check_cn = no
description = YourTunnelServerDescription
hub = YourTunnelServerHubName
robot = YourTunnelServerRobotName
</2>
</clients>
</tunnel>
Put the cfx file into a hub update package.
Add a tab to the package before the hub.cfx tab and:
Add the new new client cert file to the package with a path of "hub/certs".
Create a file called "serial.dat" and put a "3" in it (next cert number) and add to the package with a path of "hub/certs".
When you drop this package on a new client, it'll copy out the new cert, update the record keeping so you can add new certs later if necessary, add the new cert to your hub cfg file and restart your hub.
-Garin