Office 365 - Identity Federation: Email Received Stating: "An important certificate used to sign communications between your on-premises single sign-on deployment and the federated domain(s) that you’ve designated in Office 365, will expire within the - TechNet Articles - United States (English)

Overview

These proactive emails are geared towards ensuring that you are prepared for certificate replacement, if needed.

By default, AD FS 2.0 utilizes self-signed certificates for token-signing and token-decrypting. This feature is called AutoCertificateRollover, and you can ensure that this is enabled by examining a couple of items:

View the current token-signing and token-decrypting certificates

Launch AD FS 2.0 Management on a Primary AD FS 2.0 server
Expand the Service node and select Certificates
In the center pane, you’ll see three certificates listed: Service Communications, Token-Decrypting, and Token-Signing. AutoCertificateRollover only manages the Token-Decrypting and Token-Signing certificates for you
If you expand the Subject and Issuer columns in the AD FS 2.0 Management console, you’ll see that the Subject and Issuer values match. This means the certificates are self-signed by AutoCertificateRollover, and AD FS 2.0 will renew these certificates automatically for you (no action required).
If the Subject and Issuer columns do NOT match, that means you manually disabled AutoCertificateRollover and intend to manually replace these certificates on your own

View the current True/False value of AutoCertificateRolloverEnabled

On a Primary AD FS 2.0 server, launch an Administrative PowerShell console
Type the following commands:

Add-PsSnapin Microsoft.Adfs.Powershell

Get-AdfsProperties

3. In the output, find AutoCertificateRolloverEnabled and note if it is set to True or False. If it is set to True, then AD FS 2.0 is set to renew these certificates automatically for you. If it is set to False, you have manually disabled AutoCertificateRollover, and you intend to replace these certificates on your own.

Windows Azure Active Directory auto-pull

Windows Azure AD will automatically pull new certificate information from your Federation Metadata XML (published by your Federation Service) in order to learn about your new certificates. No action is required as long as AutoCertificateRollover is enabled in AD FS 2.0.

Scripted Push Tool

Microsoft offers a push tool so that you are automatically pushing your Federation Metadata to Office 365 on a schedule. We recommend ALL of our identity federation customers run this tool as an added measure to ensure metadata freshness between your federation service and ours:

Microsoft Office 365 Federation Metadata Update Automation Installation Tool

http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

If you prefer to manually execute a command to update metadata rather than run the automated tool on a schedule

On a Primary AD FS 2.0 server, make sure Microsoft Online Services Module for Windows PowerShell is installed and launch an Administrative PowerShell console
Type the following commands:

NOTE: The –SupportMultipleDomain parameter is ONLY needed if you have multiple top-level domains (TLDs) that are utilizing Federated authentication. If you have just one Federated top-level domain, do NOT utilize the –SupportMultipleDomain parameter

Import-Module MsOnline

Connect-MsolService

Update-MsolFederatedDomain –DomainName “enter-your-Federated-domain-name-here” -SupportMultipleDomain

3. Verify your metadata is fresh (certificate thumbprints match) by executing the following command:

Get-MsolFederationProperty –DomainName “enter-your-Federated-domain-name-here”

ONLY if you have DISABLED AutoCertificateRollover, you will need to manually replace the token-signing and token-decrypting certificates based on the following guidance: