I managed to both change certificates and external load balancer + FQDN.
In my test i managed to do it in 2 ways.
#1: Using the tip in this thread i used the fqdn i wanted as gateway-va name, then i changed the certificates as described in the documentation with no load balancer option, then i moved the workspace fqdn in my dns to point at the load balancer, i created new records in the dns for the gateway-va (gateway01.something.local) then using yast i renamed the gateway-va VM and rebooted. I then found the load balancer option already configured with valid certificate.
#2: From the start i pointed the workspace fqdn to the load balancer which was already configured with the cert i wanted to use; all workspace vm had their own entry in dns (gateway01, data01,.... etc). The load balancer redirects everything to the gateway-va. After completing the setup without changing anything regarding ssl and certs i went to change fqdn with load balancer and it all went good.
The reason why these procedures work and other don't is that when you change fqdn there is a check that verifies that the new fqdn has a certificate that matches the URL in the common name of the certificate, so it means this has to be taken care BEFORE you perform the change:
ERROR [tomcat-http--29] com.vmware.horizon.configurator.vm.remote.impl.ConnectorRemoteImpl - Error when updating Connector connector-15.vsphere.lab with new IDP Url. Response from server: "Hostname is invalid or not reachable". Could not connect to the URL. hostname in certificate didn't match: <gateway-15.vsphere.lab> != <workspace-15.myvirtualife.net>
This will throw the infamous "Invalid IDP host/port".
So, if you start with method #1 you already have it in place because it's generated during setup.
With method #2 you point at something else where you already applied a certificate with correct requirements.
Another way i tried was method #2 without load balancer where i would change the self-signed certificate with another sel-signed certificate with the new fqdn name i wanted before changing, just like i was describing in the 1.0 version in this blog post using the "wizardssl.hzn" command:
http://myvirtualife.net/2013/07/27/how-to-install-horizon-workspace-using-an-external-database/
This doesn't work because even if the new cert gets generated correctly there are still some urls (at least one) that shows the old cert and this makes the fqdn change fail.
In the coming days i will write an extensive tutorial about how to implement solution #1 and #2.
If you are interested subscribe to my blog to be notified when i publish it: http://myvirtualife.net
As load balancer i use haproxy with ssl offload, i will also post instruction about how to build that, just need some days since i'm still on holiday ;-)