In general, kubeone automatically updates certificates that are within 90 days of expiry automatically when updating your cluster. If you keep cluster updates in line with the Kubernetes Support Period, there should be no need to manually re-new certificates.
In case you want to manually update your certificates, you can run the following:
kubeone apply --force-upgrade
This will renew all of your certificates and restart the kube-apiserver to make use of the updated certificates, assuming your certificates are within 90 days of expiry.