A certificate key pair, provided by you, is used to secure all communication to the cluster. A self-signed certificate is generated and can be used for accessing the cluster initially, but for a production deployment, we recommend that you provide your own cluster certificate.
The cluster certificate key pair you provide must be in the PEM format.
The certificate should contain the hostname of your load balancer, both as the common name and as a DNS Subject Alternative Name (SAN) entry.
If not using an external load balancer, the certificate should contain a DNS SAN entry for each node in the cluster.
If accessed directly, the certificate is served up by each node in the cluster. If not already present, an additional DNS SAN entry for each node should be added if direct node access is desired.