It’s now possible to use more than one public key certificate for single sign-on. At the single sign-on settings section on the account settings page you can now choose to use all vault items inside a vault section. This will allow you to upload new certificates issued by your SSO provider, even before they are actually used by the provider (this is called certificate rollover).
You can even automate this process by uploading the certificates using our API. We do recommend that you remove any old certificates that are no longer used, as this is considered a security best practice.