You won´t need to change the certificates on CP Management Server. You´ll need to install a new SubCA Certificate issued from Microsoft CA to the gateway.
As you have to import the certificate for this via the Smart Console from .pfx, you will have to create the CSR somewhere else, then let the AD CA sign the request and fullfill the procedure on the checkpoint. Then convert / export this to pfx+password pair.
As far as I remember, most Security Products based on Linux and similar have problems with certificate with RSASSA-PSS algorithm used. That can be kind of a show stopper.
You can use openssl on the a Check Point machine (expert mode) or the windows certreq / certutil tools.
a hint, how to use openssl for creating a request and converting the certificate files to .pfx:
How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to...
Signing the CSR on the Microsoft CA
Depending on the CA configuration and demands, you´ll have to create a new SubCA template, for example.
Now you can copy the cert file to the machine, where you created the csr and according to the link above convert to pfx and export the bundle to pfx file and password.
Copy the created file to your client.
Now you can install the certificate to the gateway using the .pfx file - described here:
Best Practices - HTTPS Inspection
When you imported the certificate you should export the private key to somewhere, no one has access to, unless in case of emergency , and delete it from the local machine.
Hope it helped