No, still waiting for Citrix support or someone here to come up with a hint.

Trying to find some meaningful logs I reached the SSL logs in Apache - we're using Apache in front of CloudPlatform to get rid of the ":8080/client" thing. And there I've seen the API uploadCustomCertificate call executed while I was trying to upgrade the SSL certificate. In this call the new line (NL) and carriage return (CR) characters are passed as %0A%0D. I think these are the characters that CloudStack GUI refers to as illegal non-printable ASCII characters. So I removed these characters from the certificate and key and tried again but I've got the same error. I checked the SSL log and I noticed that some characters like "/" were passed through the API using their hexa code like %2F. So I went to the command line and crafted an URL keeping the ASCII representation of the certificate and key, URL that I tried to pass to the API using curl command. Now I'm getting:
"Not a valid protocol version:..." followed by the certificate and key. Better than before but still not fixed.

At this point I'm kind of lost...

Think you are on the right track... I would run dos2unix on the certificate file to be sure...

When you are making the curl call, assuming directly to the API, are you including your key and command signature? Look at the API guide on how to do this properly.

--Mike

There is a known issue with uploading custom certificate in CloudPlatform 3.0.6 release. The bug is scheduled to be fixed in 3.0.7 patch B which should be available in last week of July.