While implementing our EEM server to use custom/signed certificates (following instructions similar to what's here: Apply own p12 certificate in place of the default CA Embedded Entitlements Manager (EEM) certificate), the EEM Server fails to start when separating the private/public key and using a password protected private key. 

Release : ITPAM 4.3, EEM 12.6

This happens is because "PBE algorithms are not allowed in FIPS mode". Based on this you need to make a choice of:

• Use FIPS ON mode without a private key that is not password protected; or
• Use FIPS OFF mode with a private key that is password protected.