I think you might need to install the cert chain in the template.
Had a similar issue before with IaaS self signed. Grabbing it and putting it in the trusted root store fixed the issue.
For your CA cert, your root cert needs to be in the template too..
Also, if you are switching IaaS certs you'll need to tell the other components about the change!
