When CIS is configured on a clustered NSS volume, you must use the cluster resource IP for CIS configuration, thus a server certificate with the cluster IP and SAN name is required.
Section C.1, Creating Certificates for CIS using Identity Console
Section C.2, Creating Certificates for CIS using iManager