The use of long-lived, self-signed certificates in metadata is strongly recommended. According to the SAML2int 87425032 and MetaIOP 87425032 profile, the certificate is only a public key container and no method of validating the certificate information may be used.
...
1. Create a new key-pair that is complaint compliant with the federation
2. Create a copy of the metadata already published in the federation and add a new KeyDescriptor element containing the public key certificate. The metadata should now contain the old and the new KeyDescriptor element. If there is a KeyDescriptor for signing and one for encrypting do this for both
...