Configuring TLS on a Logstash Docker container

Hello, maybe this is a dumb question.
I'm in the situation in which I want to use TLS between Filebeat and Logstash, the latter being on a Docker container.
To enable TLS on Logstash, I'm supposed to configure it as follows (with a self-signed certificate):

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/server.crt"
    ssl_key => "/etc/server.key"
  }
}

The server.crt file is supposed to be used by Filebeat, too.
However, how is it possible to manage the situation in which I need to replace the Docker container? I should re-generate the certificate on the Logstash container and send it back to Filebeat?

"Replace the Docker container"? Are you talking about the Docker image?

Since the certificate is tied to the host it's probably a good idea to store the certificate in the host file system and bind-mount it into containers as necessary.

Yes, I was referring to container image replacement.
That was the suggestion I was looking for, thanks

BTW, could someone confirm me that if the host certificate is self-signed (and thus, I'm using the insecure option for Filebeat TLS) it is not necessary to pass the .crt and .key files to the Filebeat clients?