I had a client with two AP9537SUM NMC2 (one v6.5.6 and another v.6.6.4) and the v6.5.6 would only accept the p15 file created with your method using openssl. The v6.6.4 worked fine with a p15 using NMCCLI together with a Windows Server 2019 CA generating the der base64 certificate per this method posted by Mike Shellenberger.
I only made change in the DNS.2 to IP.1 = 192.168.240.6 (i.e, management ip of nmc) in subjectAlternateName. This way, the certificate will not show any warning even when accessed by IP address.
Also, had to set the NTP or manually adjust date/time to exact as one post mentioned it, other wise nmc will not be accessible on https:// (you will have to do telent/ssh and enable http, if it is disabled). So the first thing should be to set ntp or date/time correctly.
I see several pieces of this post that reference wildcard certs not being supported. i would like a little clarification on that. Would a wildcard cert work if you generated the csr and private key from apc security wizard cli, got the cert signed by a private ca, then married the cert to the key file back in the security wizard? Just trying to get some clarification. Also....I noticed in my older apc network cards they would accept a cert I generated like this that had about 100 SAN entries. The 9641 cards don't accept the same cert. (It is a .p15 generated through apc security wizard cli as well) Thank you in advance.