For security reasons, enterprises may require authentication for their API endpoints and websites. SSO via certificates allows a developer to leverage enrollment credentials to handle the authentication without prompting the end user of the app.
The certificate should be rotated if it's about to expire, or in case it becomes compromised.
To upload or update certificate:
Go to the Single Sign-On settings page.
Find the SAML SSO provider certificate option.
Upload the certificate PET file.
This will sign out all Org members and prompt them to sign in again.