Yes, I think you should be fine using this tool. The only thing to bear in mind is that you will need to add multiple host names to the certificate (Subject Alternate Names) which this tool allows for.

For my last distributed deployment I used OpenSSL to generate everything in the same manner.  The customer's CA didn't allow us to use wildcards so the three certs I requested were like this, everything played well and applied to the F5.

CN =siteprefixcloud.domain.com (vcva vip)

SAN - siteprefixcloudva01.domain.com

SAN - siteprefixcloudva02.domain.com

SAN - siteprefixcloud-db.domain.com (postgres vip)

CN = siteprefixiaasweb.domain.com  (iaas web vip)  

SAN - siteprefixiaasweb01.domain.com

SAN - siteprefixiaasweb02.domain.com

CN = siteprefixiaasmgr.domain.com (iaas manager vip)

SAN - siteprefixiaasmgr01.domain.com

SAN - siteprefixiaasmgr02.domain.com

Sample config.cfg file

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: siteprefixcloudva01.domain.com, DNS: siteprefixcloudva02.domain.com, DNS: siteprefixcloud-db.domain.com

[ req_distinguished_name ]

countryName = US

stateOrProvinceName = District of Columbia

localityName = Washington

0.organizationName = XXXXXX

organizationalUnitName = XXXXX

commonName = siteprefixcloud.domain.com

Then I run this command to generate a signing request and private key

openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config config.cfg

Then run this command to format the key in rsa format

openssl rsa -in rui-orig.key -out rui.key

Use that CSR to request the certificate and when it comes back you'll format accordingly.  On the windows boxes I made them all PFX's, the appliances needed the full chain cert + intermediate + root all in x509/pem format in one file.

This might be better suited to a new thread, but I'm having some certificate-related headaches right now as well.  I'm using the vRA appliance, and as near as I can tell the default keystore doesn't include any generally accepted root CA certificates.  I'm using Google apps as our outbound email server, and since the root cert they used isn't in the keystore I'm forced to allow self-signed certificates.  This is a lab server so I'm only a little bothered by that, but let's say I want to send an email via an Orchestrator flow--the ootb send notification flow doesn't provide any option for trusting all roots and just refuses to do anything at all.  I crossed my fingers and did vcac-config import-certificate, but there was no noticeable effect after restarting.  I even tried importing cacerts from my workstation's Java install, but I haven't been able to guess the keystore password.  The system admin and hardening guides only talk about replacing certificates for the various vRA components, and I'm frankly at a loss for what to try next.  Have any of you addressed this before?