Hi Raoul,
regarding your first question:
Yes this will work. If the certificate is still valid (duration can be configured to your requirements) and the user has access to the SAP Backend System, the short lived user certificate (which was issued at 09:00 am) can be used.
Even if the user certificate is not valid anymore and the user has access to the coporate network, the X.509 certificate can be reissued automatically (if desired).
Best regards,
Frane