...

Step 1 : Add Certificates to ADFS

• Token-Signing

SetAdd-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint "thumbprint of signing cert" <optional switch to make it primary -IsPrimary> 

• Token-Decrypting

SetAdd-AdfsCertificate -CertificateType "Token-Decrypting" -Thumbprint "thumbprint of decrypting cert" <optional switch to make it primary -IsPrimary>

Step 2 : Upload new Metadata

...

• Upload the XML from https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml to metadata.swamid.se/admin.
• Remove the SP / IdP part if the ADFS isn't going to be used as both roles.
• Use "Merge missing from published" to copy over all EntityCategory's and MDUI information from the old Entity
• Request publication.
• Wait until you get confirmation of publication and then for at least 8 h more (recommended 24 h if in SWAMID and  48 h in eduGAIN) for all entities to pick up the new cert/key. 

Step 3 :

...

Certificate rollover 

Automatic rollover

When does this happen? In the Get-AdfsProperties command, you can check the value for CertificateCriticalThreshold. Default

The default setting is 2 and it means that ADFS will switch the certificates two days before their expiration date weather you want it to or not.

The next parameter of interest is CertificatePromotionThreshold, the default value of 5 means the old certificate will be present as a secondary certificate for five days after rollover.

Manual rollover

This can be done in the console by right clicking on the certificate and select "Set as primary" or by powershell

Set-AdfsCertificate -CertificateType "Token-Decrypting/Token-Signing" -Thumbprint "thumbprint of cert" -IsPrimary

Step 4 : Upload new Metadata again

...

Step 5 : Disable / remove key from software. 

Remove old certificates from console or with powershell

Remove-AdfsCertificate -CertificateType "Token-Signing or Token-Decrypting" -Thumbprint "thumbprint"