If you are renewing a certificate then it will simply re-use the already existing key. The only thing that gets renewed is the public certificate. Have you tried following this guide?
Importing a renewed SSL certificate
https://support.f5.com/csp/article/K1462014
When you import a renewed SSL certificate, you overwrite the existing certificate/key with the one you are importing. The SSL profile then automatically uses the renewed certificate to encrypt the SSL sessions.
Important: Existing connections continue to use the old SSL certificate until the connection completes or are renegotiated or until TMM is restarted.
Impact of procedure: Performing the following procedure should not have any impact to the existing traffic and new traffic will utilize the new certificate.
- Log in to the Configuration utility.
- Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
- Click Import.
- In the Import Type list, click Certificate.
- For Certificate Name, click Overwrite Existing.
- In the Certificate Name list, click the certificate to replace.
- For Certificate Source, click either Upload File and browse to the file or Paste Text and paste plain text into the box.
- Click Import.
To be honest I always generate a completely new PFX or CSR in order to renew both the certificate and key for security reasons. It will also give me the possibility to revert back to the old certificate in case there are some issues with the newly generated certificate/key. The only thing I have to do after uploading the new certificate/key pair is make the switch in the Client SSL Profile.