How do I update my identity provider certificate in Salesforce?

Configure a domain using My Domain and deploy it to all users. For instructions, see Set Up a My Domain Name.
From Setup, enter Identity Provider in the Quick Find box, select Identity Provider, and click Enable Identity Provider.
By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. If you’ve already created self-signed certificates, select the certificate to use when securely communicating with other services.
If you want to use a CA-signed certificate instead of self-signed certificate, follow these steps.
Create and import a CA-signed certificate. For instructions, see Generate a Certificate Signed by a Certificate Authority.
From Setup, enter Identity Provider in the Quick Find box, then select Identity Provider.
Click Edit, and then select the CA-signed certificate.
Click Save.
After you enable Salesforce as an identity provider, you can create connected apps to provide access to service providers.