If you decide that you want to immediately generate new self-signed certificates, then you need to first re-enable AutoCertificateRollover and then issue a PowerShell command to invoke immediate certificate generation.
PowerShell command to re-enable AutoCertificateRollover:
Add-PSSnapin Microsoft.Adfs.Powershell
Set-ADFSProperties -AutoCertificateRollover $true
PowerShell command to immediately generate new self-signed certificates:
Add-PSSnapin Microsoft.Adfs.Powershell
Update-AdfsCertificate -Urgent
NOTE: Be aware that there is an AD FS service outage incurred when the Token-Decrypting or Token-Signing certificates are updated because the relaying parties must update their configuration to expect the new certs. Do this work when users are least impacted by the outage.
Set Self Signed Certificates to 10 years
Set-ADFSProperties CertificateDuration 3650 -AutoCertificateRollover $true
Force update to new certificates
Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
Update-AdfsCertificate -CertificateType Token-Signing -Urgent
Disable auto rollover after updating to 10 year certs (not required if you keep the 2 year default)
Set-ADFSProperties -AutoCertificateRollover $false
Update Office 365 Metadata (not required if you do not have Office 365)
Set-ADFSProperties -AutoCertificateRollover $false
Update Office 365 Metadata (not required if you do not have Office 365)
Connect-MsolService
Update-MsolFederatedDomain -DomainName domain.com -SupportMultipleDomain