Don't create a new signing key. It is a mistake. Always use the same certsigningRequest.csr.
In most cases you should also use the same certificate and only switch the provision profile.
It is true that the push key requires some manual handling however you don't really need to keep the old file. Upload it to Firebase and delete it.