If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate. If you manage your certificate ...

Azure Active Directory

If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate.
If you manage your certificate manually, please follow the below instructions.
Obtain a new Token Decrypting Certificate.Ensure that the Enhanced Key Usage (EKU) includes "Key Encipherment".
Subject or Subject Alternative Name (SAN) do not have any restrictions.
Please remember that your Federation Servers and Claims Provider partners need to be able to chain to a trusted root certification authority when validating your Token-Decrypting certificate.
Decide how your Claims Provider partners will trust the new Token-Decrypting certificateAsk partners to pull the Federation Metadata after updating the certificate.
Share the public key of the new certificate. (.cer file) with the partners. On the Claims Provider partner's AD FS server, launch AD FS Management from the Administrative Tools menu. Under Trust Relationships/Relying Party Trusts, select the trust that was created for you. Under Properties/Encryption click "Browse" to select the new Token-Decrypting certificate and click OK.
Install the certificate in the local certificate store on each of your Federation Server.Ensure that the certificate installation file has the Private Key of the certificate on each server.
Ensure that the federation service account has access to the new  certificate's private key.
Add the new certificate to AD FS.Launch AD FS Management from the Administrative Tools menu
Expand Service and select Certificates
In the Actions pane, click Add Token-Decrypting Certificate
You will be presented with a list of certificates that are valid for Token-Decrypting. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer personal store with a private key associated and the certificate has the  Key Encipherment as Extended Key Usage.
Select your new Token-Decrypting certificate and click OK.
Set the new Token-Decrypting Certificate as Primary.With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Decrypting: existing and the new certificate.
Select your new Token-Decrypting certificate, right-click, and select  Set as primary.
Leave the old certificate as secondary for roll-over purposes. You should plan to remove the old certificate once you are confident it is no longer needed for roll-over, or when the certificate has expired.

If a validation is specified here, this validation will take precedence over the validation of the bound attribute when displayed ... If a VAT ID is not provided, your local country VAT rate will be applied. We recommend providing your organization's VATID ... If AD FS Audits are not enabled follow these instructions: Grant the ADFS service account the "Generate security audits" ... If Auto-certificate roll over is enabled, AD FS will manage updating the Token Signing Certificate. If you manage your certificate ... If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate. If you manage your certificate ... If both DFSR and NTFRS services are stopped, Domain Controllers will not be able to replicate SYSVOL data. SYSVOL Data will ... If KDC Service is stopped, users will not be able to authentication through this DC using the Kerberos v5 authentication ... If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service ... If payment is not received within 7 business days, this order will be canceled. If you have any question, contact support ...