The ServiceNow instance can automatically update the certificates which are associated with Identity Providers in the Multi-Provider SSO module. For this automatic update to happen you would need the field Advanced->IDP Metadata URL (on some versions called Metadata URL from which IDP properties are imported) on the Identity Provider[saml2_update1_properties] record to be set to the metadata URL of the IdP (Identity Provider). The metadata URL is different for each IdP and can be obtained from the settings or documentation of your IdP, some examples are below.
Once you've set the field Advanced->IDP Metadata URL you need to click Test Connection before your changes can be applied. Note that if the certificate has already expired this will not work. In that case you can create the System Property glide.authenticate.multisso.test.connection.mandatory as type true|false and value false to bypass the need to run Test Connection before applying changes.
There's an OOB Scheduled Job 'Refresh MultiSSO IDP Metadata' that checks this URL every 30 mins and updates if necessary. These 'updates' include creating new X509[sys_certificate] records, and linking them to the IdP record, if a new certificate is seen on the IdP.