You can simply use the menu options/connect/options/ssl to create a new certificate then replace the old certificate. When mIRC creates the certificate, it is created with a lifetime of 36 months, so you shouldn't need to do this for a long time.
Note that you can now attach a certificate to a network in the serverlist that's different than the global certificate, so if you're creating a certificate to be used only for 1 network, you would create the certificate in the same menu location, but instead of clicking OK to make the new certificate be the global certificate, you'd escape out of OPTIONS, then go back into the serverlist and edit that network's serverlist entry to use the new 'local' certificate. To keep local certificates from being confused with each other, it's probably a good idea to give them filenames including the name of the network.
Note, many networks using INSPIRCD or UNREAL will continue to accept your expired certificate for SASL EXTERNAL, but Libera.Chat does not. But it's a good idea to make a new one before the old one expires, since that gives you an opportunity to switch back to the old one for at least a little while if you run into a glitch
If mIRC created your certificate 3 years ago, it was an RSA-2048 certificate, but now mIRC offers multiple options, including RSA-4096 and one of the ellipic curve formats. If you've installed OpenSSL, you can also create a certificate there using the instructions at https://libera.chat/guides/certfp
For your new certificate, the ECDSA or the Libera recommend of RSA-4096 are fine, and I have yet to encounter a network which does not support that size or does not even support RSA-8192.
It's generally accepted that nobody should be using RSA shorter than 2048, so I'm guessing the only reason mIRC offers RSA-1024 as a choice is for some old networks that haven't updated their software to support longer keys. The longest known RSA key to be cracked is RSA-829, so RSA-1024 is getting a little close for comfort. RSA-2048 will be good for a long time, barring an unknown breakthrough in discovering a new algorithm for factoring numbers, or quantum computers who can do better than factoring the number 21 lol. The ECDSA has a smaller number because that method can have strong security without needing to have as large of a key as RSA has.
Reminder that this will change your fingerprint, so if you have been using this for SASL EXTERNAL method to login your nickserv account, you'll need add this new fingerprint to your nickserv account.
While some networks like Libera.Chat allow you to add any fingerprint you want while you're logged into nickserv, most IRCD's have the security feature of requiring you to prove that you can actually be wearing the new fingerprint/certificate while being logged in.
While wearing the new certificate and being logged into nickserv, you can add the fingerprint like
/nickserv CERT ADD
and you can use /nickserv CERT LIST to see which fingerprints are attached to your account. You will want to eventually /NICKSERV CERT DEL prune obsolete fingerprints because there's a limit (usually 5) for how many fingerprints can be attached to your account. You can see what your current certificate's fingerprint is, by looking at the reply to //whois $me
If you've forgotten your password because you always use SASL EXTERNAL to login, you'll need to change your password before the old certificate expires, or else use your linked email to allow you to reset your password, because you'll most likely need to know the password in order to attach the new certificate fingerprint to nickserv.
So far, the only network I've encountered which does not support SSL at all is Undernet. The only extra security they offer is 2-factor authentication using TOTP, which I describe herehttps://forums.mirc.com/ubbthreads.php/topics/271000/how-you-can-auto-enable-totp-at-undernet