@Lim Chong Sun Thanks for reaching out.
There are two server farm options that you can consider when you obtain token-signing certificates for your deployment:
1) A private key from one token-signing certificate is shared among all the federation servers in a farm.
In a federation server farm environment, we recommend that all federation servers share (or reuse) the same token-signing certificate. You can install a single token-signing certificate from a CA on a federation server and then export the private key, as long as the issued certificate is marked as exportable.
2) There is a unique token-signing certificate for each federation server in a farm.
When you use multiple, unique certificates throughout your farm, each server in that farm signs tokens with its own unique private key.
Read more about it here : https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/design/token-signing-certificates
-----------------------------------------------------------------------------------------------------------------
If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.