John,
As far as I am aware, there is no feature to perform this in a more efficient and less impacting manner. I wish there was!
I have performed the following procedure to replace a certificate live without having to deactivate partnerships. However, I would like to stress that this is probably not a supported procedure from CA and should only be undertaken with great care and the ability to restore your policy store quickly. If you're using a policy store that is not easy to restore I would probably suggest not doing the below.
I apologize, I wrote this procedure for me, so please forgive the roughness of it.
- Open xpsexplorer
- Go to option 3 and find the new certificate.
- Write down the alias, IssuerDN, and SerialNumber values for the certificate.
- Exit and go back to main menu.
- Go to option 141 : SAML2SP
- Get writable copy of the necessary item
- Replace "49:DSigningAlias, 50:DsigVerInfoIssuerDN, 51:DSigVerInfoSerialNumber" with the new values from the new certificate.
- Verify the object, and update the object.
- Go back to main menu, open option 27: Certificate.
- Find the relevant certificate and write down the "CA.FED::Certificate" XID.
- Go back to main menu, then option 59: SPPartnership 12. Open the relevant partnership and get a writable copy.
- Replace "40: SigningCertLink" with the appropriate "CA.FED::Certificate" option from the step above.
- Verify the object, then update the object.
- Verify the partnership is being signed with the new certificate.
Good Luck!
David