Technically certificates are used for two purposes - the first one is to sign the Wallet passes itself which allows the Wallet app to check the integrity of the files as well as making sure that the issuer of the certificate is authorised to issue passes.
The second purpose is to encrypt connections to the Apple Push Notification Service (APNS) which allows Apple to determine if the Push Notification should be sent at all and to know what pass needs to be updated (alongside an identifier that is transmitted).
Logically (what do users see?)
Passes are grouped by their certificate
|Wallet passes that share a certificate are grouped within the Wallet app. This means that they are shown next to each other instead of above each other. This is e.g. useful if you have multiple vouchers for one store and allows users to find them in one place.
Passes that share a certificate also share their icon for Push Notifications
If passes share the same certificate, the icon of the first pass that has been saved on the phone will be used in push notifications. Be especially careful about this when you're distributing passes that use different icons. In this case the push notifications of the pass that is stored after the first one will always display the icon of the pass that has been saved first.
When should you use a new certificate?
You should use a new certificate if the pass has its very own purpose e.g. it is for a completely different enterprise or it just should use a different icon image.
What happens if a certificate has expired?
Your users won't be able to save the pass on their phone anymore and you can't deliver push notifications to them. We'll notify you about expiring certificates via email long before the expiration date in order to ensure you have enough time to update the certificate. After you've updated the certificate, make sure to update the templates that use the certificate and publish changes in order to recreate passes using the new certificate.