Thank you for posting your query on Microsoft Q&A. PFB answer to each of your queries inline:
- Why token-signing certificates are used when adding the claims provider?
Because each security token is digitally signed by the account partner (Claims provider), the resource partner (Relying party) can verify that the security token was in fact issued by the account partner and that it was not modified. Digital signatures are verified by the public key portion of a partner's token-signing certificate. After the signature is verified, the resource federation organization, and it signs the security token with its own token-signing server generates its own security token for its certificate.
The token-signing certificate is used to sign the security token, which provides a way for the application to verify that the token was issued by a trusted claims provider. This helps to prevent security attacks such as token forgery or man-in-the-middle attacks.
- Why token-encryption certificates are used when adding relying party?
Token-encryption certificates are used to encrypt the security tokens that are issued by the claims provider before they are sent to the relying party. This provides a way for the relying party to securely receive and decrypt the token (which holds the private key of same encryption certificate)
- In my company, the AutoCertificateRollover is set true. But, token-signing certificates are replaced by people. When it is replaced, we should send it to relying parties?
Yes, once generated manually, then we need to share the metadata or public key with Relying party.
- Token-encryption certificates are replaced automatic. When it is replaced, we don't need send the certificates to claims providers or relying parties. Why?
You must ensure that each federation partner is updated with this new certificate in order to avoid an outage. Your federation partner is represented in your AD FS farm by either relying party trusts or claims provider trusts.
Federation partners consume your new certificates by pulling your federation metadata or by receiving the public key of your new certificate from you. Once you've allowed enough time for your federation partners to consume your new certificate, you must promote the secondary certificate to primary certificate.
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik