According to https://www.microfocus.com/documentation/access-manager/5.0/admin/b5wzfj4.html:
Test Certificates: When you install Administration Console, the following test certificates are automatically generated
- test-signing
- test-encryption
- test-connector
- test-provider
- test-consumer
- test-stunnel
For strong security, we recommend that you replace these certificates, except the test-stunnel certificate, with certificates from a well-known certificate authority.
This leads me to believe the recommendation is for the signing and encryption certificates to come from a well-known certificate authority. Curious if this is what everyone is doing. The big issue with this is renewing the cert every year as well-known authorities provide certificates lasting only 13 months. I am not aware of a way for NAM to notify IDPs that the signing certificate has changed. Do IDPs monitor the metadata URL for changes? Or is this something implementation-specific? Anything in the SAML protocol discussing this?