Take care of this folder that could contain private key. Be sure that this folder never is published.

Onelogin PHP Toolkit expects certs for the SP stored at:

 * sp.key   Private Key
 * sp.crt  Public cert
 * sp_new.crt Future Public cert

Also you can use other cert to sign the metadata of the SP using the:

 * metadata.key
 * metadata.crt

If you are using composer to install the php-saml toolkit, You should move the certs folder to  vendor/onelogin/php-saml/certs