How do we decom old certs after implantation of service mesh?

Background: In pre-Service Mesh/SM days our frontend and backend services mTLS authenticate using certs obtained from Vault

During implementation of SM we fetched Consul certs from the same Vault CA.

How do apps respond? Get rid of old certs and just hope that now the mTLS will not break anything

Current situation:
Scenario#1: Frontend services have yet to adopt SM.
So how does mTLS ack happens now? Frontend can continue to use the old cert and backend service can get rid of old cert and rely on mTLS feature of SM. Afterall both old and new certs were created using the same Vault CA

Senario#2: Both Frotend and Backend adopt SM.
Can we get rid of old certs from both the apps and rely on mTLS offered by SM?