Renewing SAML signing certificate

According to https://www.microfocus.com/documentation/access-manager/5.0/admin/b5wzfj4.html:

Test Certificates: When you install Administration Console, the following test certificates are automatically generated

  • test-signing
  • test-encryption
  • test-connector
  • test-provider
  • test-consumer
  • test-stunnel

For strong security, we recommend that you replace these certificates, except the test-stunnel certificate, with certificates from a well-known certificate authority.

This leads me to believe the recommendation is for the signing and encryption certificates to come from a well-known certificate authority. Curious if this is what everyone is doing. The big issue with this is renewing the cert every year as well-known authorities provide certificates lasting only 13 months. I am not aware of a way for NAM to notify IDPs that the signing certificate has changed. Do IDPs monitor the metadata URL for changes? Or is this something implementation-specific? Anything in the SAML protocol discussing this?