load balanced capsules in Satellite6

Hi!

Currently we have satellite5 + a puppet setup with load balanced compile masters.
We have around 4500 nodes.

We have started to work with satellite6 and I want to try to
use the Puppet functionality in Satellite6 instead of having a separate Puppet setup. To support 4500 nodes with hourly puppet runs we absolutely needs more than one Puppet master.

I have been thinking about a setup consisting of one satellite6 server, and 2-8 load balanced capsules. Satellite6 will also act as the Puppet CA. BigIP will be used as a load balancer with a VIP nnn.nnn.nnn.nnn with a dns record of satllite6.example.com.
requests for satlelite6.example.com/certificates will be directed to Satellite6 while other Puppet requests, package download, etc will be directed to the load balanced content capsules.

I have started to install satlellite6. In order to support load balancing and have flexibility I want to create ssl-certs for satellite and the capsules with the primary hostname as the cn, and with satellite6.example.com as altname. How can I do this?
I have tried to follow the guide for satellite5: https://access.redhat.com/solutions/1466193 but when I try to sign the csr with the local CA of satellite6 I get prompted for the passphrase for the private key of the CA which I don't have. I think that in the satellite5 installer the user was prompted for the passphrase during the installation, but I did not get such a prompt while installing satellite6.

Have anyone tired a load balanced setup with satellite6 and capsules. Any directions is greatly appreciated.

Thanks,

Erling