This task will track the implementation of the updated *.wmflabs.org certificate. (Parent Task T140647 is a private procurement space task, so implementation should like be done in a public one.)
Patchset https://gerrit.wikimedia.org/r/#/c/309379/ has the new public certificate file.
The private key file is named in the private repo as new.star.wmflabs.org.key. When the new certificate file is pushed into service, the existing star.wmflabs.org.key file should be git rm'd, and then git mv the new.star.wmflabs.org.key into its place.
Further details will need to be added on what labs hosts make use of this certificate.