Tom,
The only time that generating keys can create an issue with sharing and moving them between clusters is when a HSM is involved with strict fips mode. This will not allow the keys to be exported/imported through the Policy Manager so key data needs to manually moved between clusters. When a HSM is not involved, then creating a key on one cluster then creating a csr to be used to signed by a CA either internal or through a provider (Entrust, Verisign, etc) to then update the certificate chain is straight forward through the Manage Private Key menu option. Once the key, chain, and certificate have been combined then the bundle can be exported into a p12 bundle using Export Key button on the properties page of the private key in the Manage Private Keys. This p12 file can then be imported into any cluster and linked to a listen port. The p12 bundle can be created outside the Policy Manger and import in to the cluster as well.
Sincerely,
Stephen Hughes
Director, CA Support