Using the PKI to generate certificates is NOT supported for production systems, as documented here:
https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...
I can't stress that enough. It is provided for convenience for testing purposes. For production systems or test systems that require proper security, please use certificates/keys specified from the source determined by your security admins, and make sure the procedures they specify for safeguarding the keys are in place and adhered to.