Updating the certificate at the AdminUI is pretty straight forward as it is GUI based.
Navigate to the expiring certificate and at the "Action" button select "Update Certificate" from dropdown list.
The missing part is how to update the certificate at the Azure side.
Run the Windows Azure Active Directory Module.
Run "Connect-MsolService" and enter your O365 admin credential.
Run "Get-MsolDomainFederationSettings -DomainName <yourdomain>"
Get the renewed certificate(in base64 format) and remove all the header/footer/carriagereturn to make 1 line base64 string.
You MUST have a single line of MIIGXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==.
At the powershell, run the following.
$cert = "<certificate base64 string>"
Set-MsolDomainFederationSettings -DomainName <domainname> -SigningCertificate "$cert"
Run "Get-MsolDomainFederationSettings -DomainName <domainname>" to verify the certificate is successfully updated.
More details at the following link.