I believe that they are first rotated after 24 hours (from time of cluster install). After that rotation, as far as I understand it, the service-ca operator manages a self-signed CA that is then used to create all the certificates the cluster uses internally. The docs here: https://docs.okd.io/latest/security/certificate_types_descriptions/service-ca-certificates.html
state that "the service CA is valid for 26 months and is automatically refreshed when there is less than 13 months validity left". I couldn't say for sure whether the certificates using this CA are rotated on the same interval, but I would hazard a guess that they're probably on the same schedule.