Buckle up buckaroo. yeehaw.
First things first you need the KVM_Admin permission in AD.
Next log in to the KVM, if the cert is expired already open an incognito tab and you'll be able to bypass the error.
Sign in with AD credentials.
Under Security > Certificate | Fill out the page as follows:
The challenge password can be found in Keeper (Restricted Passwords) under "SAB KVM / Cert Challenge PW"
Click Create to generate a CSR and Key | Download both if prompted
Head on over to the INTCA
Request certificate > advanced certificate request
Open the csr.txt file in your Downloads folder and copy all text in the request box
Also change template to Web Server
Submit and download the certificate (not the chain)
Go back to the KVM and upload the key.txt file FIRST
Then upload the .cer file that you just generated
Go to the Maintenance tab and Reboot the server.
Boom done yay