You can add an additional signing certificate as a secondary certificate that will be used when the default signing certificate expires. For example, if the default certificate is valid from January to June and secondary certificate is valid from May to October. When the default certificate expires in June, Identity Server automatically starts using the secondary certificate. Hence, there is no interruption in federation service between the service provider and Identity Server.
For information about adding a secondary certificate, see Configuring Communication Security for a SAML 2.0 Service Provider and Editing a SAML 2.0 Service Provider’s Metadata.