If you do any work for ADFS, you'll know that these are a PIA.
You can use IIS but they are only valid for a year and ADFS no longer uses IIS in Server 2012 R2 so it's more effort to install.
There is always makecert but you have to jump through some hoops.
Then I came across this article:
Creating Self Signed Certificates with PowerShell
Fantastic - problem solved.
So the next time I did an install, I used it.
DAMN - ADFS rejects it because ADFS does not like CNG certificates (i.e. Certificate Next Generation).
Oh well - back to SelfSSL7.