Update...
I did some research and implementation tests and I'm sure it is perfectly feasable to migrate DSVPN/IPSEC from pre shared key authentication to rsa-signature (PKI) without connection loses or new tunnel creation.
All comes down to a few points.
1. On the HUB and next gradually on all of the SPOKES
- you need to have different ike proposals : for pre-shared (it has existed to that point) and for rsa-sig (the one with pre-shared should have a lower number eg. 1 - higher priority, for rsa-sig eg. 10)
- in ike peer configuration (originally for pre-shared) you need to delete any ike-proposals (in oreder to allow the system to choose from configured ike proposals freely according to priority)
- in the same ike peer configuration you add pki realm reference to the pki realm used for your certificates
- ...and you leave reference to pre-shared key for the time of migration
This way ike proposal is used for both pre-shared and rsa-sig auth modes (IKE negotiation should be default main mode)
Now you can connect to any DSVPN/IPSec hub and spoke and default mode is selected pre-shared
2.
After 1 step is made on all of spokes you simply set ike-proposal 10 (rsa-sig) in ike peer configuration on spokes one by one
3.
After all of the spokes have ike peer configuration changed to ike-proposal 10 (no choise then) you set it on the hub (new fixed ike-proposal )
Next you can remove pre-shared key from ike peer and ike proposal 1 definition (the one for pre-shared authentication)
In short, that's it and it works (verified on AR1220E and AR161 with V200R009)