So after some lengthy testing and discussion with Microsoft Support, we came up with the following workaround.
It involves generating a certificate per server (distribution point) that is deployed.
Here's the Script that does the deed:
Set-Location -Path cert:\LocalMachine\My
Get-Certificate -Template CM12PXECert -Url ldap: -SubjectName CN=FQDNofDP
$secure_string_pwd = '$omethingH@rdT0Gue$$' | ConvertTo-SecureString -Force –AsPlainText
Get-ChildItem cert:\LocalMachine\my | where {$_.Subject -match "CN=FQDNofDP"} | Export-PfxCertificate -FilePath C:\windows\temp\FQDNofDP.pfx -Password $secure_string_pwd
Set-Location -Path cert:\
Get-ChildItem cert:\localmachine\my | where {$_.Subject -match "CN=FQDNofDP"} | Remove-Item -DeleteKey
This script basically requests a new certificate from the Certificate Authority, Exports it, along with the required private key - secured with a strong password - to a pfx file that is needed by the Add-CMDistributionPoint cmdlet.
Next the script goes and deletes the certificate from the server that it was added to, in this case, its the Primary ConfigMgr Server.
Note: Ensure that the server account has the required permission on the certificate template to request a new certificate, not just the user running the script!.
While this wasn't what I had originally envisaged, it turns out that this a better practice solution anyhow.
That said, I still think there is a bug in the CmdLet (s) because if I had to rebuild one of these deployed distribution points, I would like to think that I could re-use the exported certificate, rather than generate another for the same box!
Watch this space, hopefully there will be a hotfix for the issue, or a fix in a service pack.