Still working on the issue. Had no trouble generating a self signed cert.
Do you know if there's any specific requirements for the certificate properties (other than binary der with encrypted pvk file, key length of 2048 or less, AES256 encryption)? Any particular properties requires (such as the CERT_KEY_PROV_INFO_PROP_ID or KEYSPEC properties settings, such as those required to bind a pfx certificate to the instance via SSCM? I've tried dumping the cer files produced by backing up the self signed certificate, but a certutil -v of the files themselves don't show any of those attributes.