Arm templates are designed to be idempotent, that is, if a resources exists it will not be deleted, but configuration changes are applied if the template has been changed, linked resources like an SSL cert remain in place.
When you add an SSL thumbprint to an ARM template the thumbprint refers to an SSL certificate that is already uploaded against the resource its used for therefore nothing changes.
Its the principle used behind Continuous Integration / Continuous Deployment process from VSTS. Triggers deploy code amendments automatically to existing resources, ARM templates deploy new resources or amend environmental factors of existing resource , everything still has to work.
Hope that helps.
