I ended up re-installing both copies of SRM and using PKCS#12 certificates internally signed by our Microsoft Enterprise Root CA. It took a few hours to re-create the Protection Groups, but it took me about a week to create the Certificates!
So no answer to the question ,just the usual IT 'solution' of doing it another way