I replaced the self signed cert on the IIS website today with one generated from our CA. The Cert path goes root CA --> intermediate CA --> IAAS host.
The VRMGuestAgent now downloads a 3kb .pem file instead of a 2kb. file.
Openssl.exe s_client -connect <FQDN of IaaS server>:443 gives verify error:num=20:unable to get local issuer certificate now, and not 21. Still doesn't work though.
Not sure what else needs to be added to the certificate. We have a Server 2003 Intermediate (issuing) CA that is issuing the cert.
(I also ran the commands to update the other components and vRa is working as expected)