You will need to create a new certificate that will replace the existing one. There are several requirements for this certificate and it is critical that they are met. View the certificate requirements here.
Next, you need to import the new certificate into the Local Machine store on all AD FS servers in the farm. Once the certificate is imported, you also must grant the AD FS service account Read permissions to the private key. This can be done using the Certificates MMC snap-in: right-click the new certificate, All Tasks, and then Manage Private Keys.
Next, add the new certificate as a secondary in the AD FS farm. To do this, launch the AD FS Management console and locate the Certificates node under Service. In the right-hand pane, there are options to add a new certificate. Select the link based on which certificate you want to add.
Now that the certificate has been deployed, it will be available to partners through the metadata. However, some applications may not automatically consume the new certificate from the metadata and you’ll need to manually provide them with the certificate.
After all partners have been updated to use the new certificate, you need to promote it to the primary certificate. This is also done using the AD FS Management console on the Certificates node under Service. In the right-hand pane, there is an option entitled “Set as Primary”.
You can find more information about updating certificates here.