...
Finally, a few days before the old certificate expires set the new certificate as primary. This will make SAML Responses being signed by the new certificate from this time. You do not have to do anything more in Kantega SSO since it already trusts the new certificate. When everything works, you may remove the old certificate from AD FS. You might also perform another metadata refresh in K-SSO to remove trust to the old certificate.
...