You could use self-signed certificates and/or separated keystores and truststores

if required.

Create the keystores (certificates for each of the servers)

keytool -genkeypair -alias D:\sslkey\apiServer.prd -keyalg RSA -keysize

2048 -validity 1825 -keystore D:\sslkey\apiServer.prd.jks

Generate a certificate signing request (CSR) for the Java keystore

keytool -certreq -alias D:\sslkey\apiServer.prd -keystore

D:\sslkey\apiServer.prd.jks -file D:\sslkey\apiServer.prd.csr

Get the CSR signed by the Certificate Authorities

Import a root or intermediate CA certificate to the existing Java keystore

keytool -import -trustcacerts -alias root -file C:\"Program

Files"\Java\jre7\lib\security\cacerts.crt -keystore D:\sslkey\apiServer.prd.jks

Import the signed primary certificate to the existing Java keystore.

Keytool -importcert -keystore apiServer.prd.jks -trustcacerts -alias
apiServer.prd -file apiServer.prd.crt
Repeat steps 1-6 for each of the servers.

In order to establish trust between the master and slave hosts,

Import the signed certificates of all the (slave) servers that the Domain
Controller must trust onto the Domain Controllers Keystore
keytool -importcert -keystore apiServer.prd.jks -trustcacerts -alias
slaveServer.prd -file slaveServers.prd.crt
repeat step for all slave hosts.
Import the signed certificate of the Domain controller onto the slave hosts
keytool -importcert -keystore slaveServer.prd.jks -trustcacerts
-alias apiServer.prd -file apiServer.prd.crt
repeat steps for all slave hosts

This has be to done because (as per RedHat’s Documentation)

manually create CSR

openssl genrsa -out apiServer.key 2048

openssl req -new -key apiServer.key -out apiServer.csr

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

set OPENSSL_CONF=D:\AppleDev\opensslx86_64\OpenSSL\bin\openssl.cfg

openssl genrsa -out mblapi-key.key 2048

openssl req -new -key mblapi-key.key -out csr.txt