It should be possible to renew/replace an SSL certificate via ARM templates
When I deploy an ARM template (that has previously been deployed) which contains a certificate, I would expect that the certificate would be updated/replaced when the pfxBlob has changed.
The current behaviour is that that the deployment will succeed and the certificate will not be updated. This is not intuitive.
Currently, to work around this limitation, it is necessary to remove the existing SSL binding and certificate via the portal or Powershell.
Remove-AzureRmWebAppSSLBinding -Name $bindingName -ResourceGroupName $resourceGroupName -WebAppName $webAppName -DeleteCertificate $true