...
When does this happen? In the Get-AdfsProperties command, you can check the value for CertificateCriticalThreshold.
The default setting is 2 and it means that ADFS will switch the certificates two days before their expiration date weather you want it to or not.
The next parameter of interest is CertificatePromotionThreshold, the default value of 5 means the old certificate will be present as a secondary certificate for five days after rollover.
...