If you need to send a certificate out to be resigned and renewed from a 3rd party certificate authority, you must use the TSS GENREQ command. Thats its sole purpose to export the certificate to a dataset in a format conducive to being signed by a 3rd party certificate authority.
The TSS GENREQ builds a PKCS10 package which is the format used to sign and renew certificates.
The TSS GENREQ put the public key in the PKCS10 package for signing. The private key remains on the security file.
When you get the certificate back, you need to add it back to the security file under a new DIGICERT name. You must also add it back to the same original owner of the certificate.