yes, there is only one certificate on an endpoint.

so, if you get it wrong, the users after that will get the certificate error warning, until you supply a new certificate.

backup,.. thats up to you.. never really a bad option, but if the current cert is bad, then you would restore to that state.

Given your previous post (https://jazz.net/forum/questions/200452/how-to-request-and-configure-an-ssl-cerificate-for-clm-501-running-apache-tomcat), you're using a distributed environment with CA-signed certificates. What I don't understand is that why the web browser still needs to handle "exceptions"? It seems that your current environment is not well configured to begin with. So as Sam said, the quality of the backup is questionable.

If you are taking backup of configuration files (such as trust.p12 and key.p12), you will need to do it in synchronization across all applications, otherwise the restoration may not give you back a working state. That's because each application server also act as a "client" to other servers, and has to be handle the "exception"(?).

If you are taking VM snapshots as backups, it may be easier (not that I recommend this method).

The practice should be quite straightforward actually. Since you have a CA (I believe it's an internal one), the CA (signer) certificate should be imported into the trust store on every single machine and application server. Then when you use a (personal) certificate signed by that CA, it will be trusted automatically and there should be no "exception" to handle at all.