First of all, you do not need ADFS to have Single Sign On between your on-premises clients, you can use Azure AD Connect Seamless SSO. Have a look if you are interested: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso.
Then, the token issued by ADFS is not encrypted. So there is no encryption certificate to use on the trust. That's expected. Note that the token is signed and it is transported over TLS.
By default, token signing and token decrypting certificates are self-signed. Those certificates automatically roll-over and unless you have a interal policy that prevents you from using self-signed certificates, you can just keep those as-is. Certification revocation is not performed on those certificates.