On a recent customer deployment we got the requirement of that all certificate signing would be signed from a 3rd party trusted certificate provider. This is all no problem and you can follow this: https://docs.omnissa.com/bundle/workspace-one-access-administration-guide/page/GenerateandUseanExternalSigningCertificateforSAMLAuthenticationinWorkspaceONEAccess.html but keep the following in mind:
* Existing signing certificates and an import is not possible
* The request and signing needs to be done from Access, importing is not possible of an already validated certificate
* Keep the 1 year maximum in mind and with renewals and SAML SP/IDP configurations keep in mind that an dynamic import can take some time
Hope it helps.