EC25 How can I do to upgrade certificates and private keys saved on devices to use MQTT protocol Amazon AWS

Hi, I need to communicate through MQTT protocol to Amazon AWS IOT Core, but if i save my certificates and private keys inside the devices, How can i to update from remote access these certificates and keys on the device?
What is the best practice?
with an FTPS server?
I hope you can help to me.

Thanks.