Our AD FS certificate was set to autorenew at 50 days before expiry, then roll over 10 days later
This didn't auto-rollover in Office 365 as I understand that starts checking at 30 days for a new certificate.
We set the rollover to manual, updated the certificate, forced O365 to use the new certificate, which allowed people to authenticate.
However, when I now check the certificates, there is no NextTokenSigningCertificate listed under AD FS, but there is still a NextTokenSigningCertificate listed in Office 365 - which expires before the current token signing certificate.
If I set this back to to autorollover, will Office 365 try to use the NextTokenSigningCertificate it has listed? Can I remove this?
Secondly, if I change the autorenew at 50 days before expiry, then roll over 21 days later, would this then give Office 365 time to start checking for a new signing certificate (at 30 days), account for any delay by giving it the extra day before rolling over?
And will it then renew the NextTokenSigningCertificate I see in AD FS under Office 365?