Our software is a SP, we let customers authenticate to our service using their own IdPs. We are using the high level API and we have a local certificate we are (I believe) signing messages with. However, this certificate is about to expire so we want to switch over to our new certificate. In the local service provider configuration, you can specify more than 1 local certificate. However, it makes sense that it would only use 1 certificate to sign the messages. You would only use multiple certificates if you were trying to decrypt a message (I believe).
Am I correct in assuming that it signs the messages only with the first certificate you specify in the LocalCertificates section, and it ignores the rest?