create a new .certificates dir with that's only accessible to your user
convert your PEM rsa key and cert to DER format and store them in your newly created .certicates dir
change the permissions of the newly converted DER files to only read/writeable by your user
delete the old PEM files.
Now you should be able to run your agate server with --certs /path/to/.certificates to specify the new location of your certificates.
It's probably a good idea to have agate regenerate your certs in #ECDSA format instead, but this would at least allow you to upgrade already, and give you some time to inform your users of a pending cert change, and announce the new fingerprints ahead of time via your gemlog and out-of-band via your website and/or social media accounts.
ping @KelsonV Probably not really useful anymore to you as you've already migrated to new keys, but might be a handy addition to your gemlog article? gemini://hyperborea.org/log/2021-04-04-capsule-update.gmi