Yes, after the 5 day grace period it will automatically promote the new secondary certificate to being the primary certificate.
Think I wrote the time of the primary expiration time it is switched but it is actually 5 days after the secondary certificate was created. Exactly after 5 days it will be promoted!
You can also read it in the information below regarding the auto-renewal process.
ADFS default configuration:
Default configuration on AD FS regarding Token Signing and Token Decrypting certificates includes an auto-renewal process, [AutoCertificateRollover].
If you did not change this value from “True” to “False”, no renewal operation regarding token certificates is needed, this will happen automatically based on triggers explained below.
Default values of ADFS, [see details below for default values]:
o The Rollover interval is checked by the AD FS service every 720 minutes (12 hours).
o If the existing primary certificate (Token Signing or Token Decryption) expiration time is within the window of the CertificateGenerationThreshold value (20 days), then a new certificate is generated and configured as the secondary certificate.
Noted by event ID 385 in the event logs
o It will remain as the secondary certificate until the CertificatePromotionThreshold value is observed (5 days); so, 5 days after creation of the certificate, it will be promoted and the existing primary will be configured as the secondary until the next CertificateGenerationThreshold window is observed
o Once the Promotion event has occurred, the Token Service will sign/encrypt all issued tokens with the new primary certificate
o This does not cause a service outage of AD FS 2.0, but an application issue when the token is received and signed with something other than the expected certificate. This is true for O365 or any other application.
o With AutoCertificateRollover enabled, AD FS 2.0 will continue to function as expected.