1. Generate a new IWA identity provider certificate as described in Generate and Download a Certificate Bundle for Service Providers and Identity Providers . The Common Name chosen before generating and downloading the certificate bundle can be any value for this certificate. That is, it is not required that it match the IWA server's hostname.
2. Once the contents of the certificate bundle .zip file have been extracted, create a .pfx file consisting of the new certificate and its corresponding private key. For example, using the openssl utility: 

openssl pkcs12 -export -out IWASAML.pfx -inkey private.key -in cert.pem
Export password:  <press Enter>

3. Copy the .pfx file to the target IWA server.
4. Configure the Integrated Windows Authentication Connector to use the new .pfx file for signing identity assertions: 
   1. On the IWA server, click Start > Configure RSA SecurID Access IWA Connector.
   2. Set the Issuer Signing Certificate to point to the new PFX file path. For example:  C:\inetpub\wwwroot\RSASecurIDAccessIWAConnector\config\IWASAML.pfx. Alternatively, backup the existing IWA .pfx file being replaced and then copy the new .pfx file into same/existing IWA .pfx file path.
5. Configure the IDRs to use the new IWA certificate for identity assertion verifications: 
   1. In the Administration Console menu, select Users > Identity Providers.
   2. Edit the IWA identity provider as in step 1 above. 
   3. At the bottom of the Connection Profile tab, use the Select File button to load the new cert.pem IWA SAML certificate. 
   4. Finish the wizard and then publish the changes.