Generate a CSR on the first appliance. Include the FQDN of the cluster as accessed by users in the common name. This will be either the FQDN of the cluster VIP, or the FQDN of an external load balancer if you're using one.
Put this SAME FQDN in the subject alternative names field. You can also put the FQDN of the internal VIP here (if external LB used) and the FQDNs of the individual nodes - each on new lines. Make sure NO carriage return after last entry.
Make sure that the "filename" is something sensible to allow easy identification of the cert, as it will be used in the PAM UI (E.g. choose something like "PAM_Cert_2018-02-20" - as you will be renewing it at some stage).
Send CSR to AD PKI Admin and get cert back (ask for base64 encoded cert).
Rename the cert to have the SAME filename as the request, and with the .crt extension (not .cer - make sure no hidden extensions) - e.g. "PAM_Cert_2018-02-20.crt". Then upload the cert. As it has the same filename as the private key, PAM will match it.
Then download the private key. Enter a passphrase WITHOUT special characters.
Open both cert and private key in notepad++.
In a new text file, combine the base64 cert and private key into a single file (cert first, then private key).
Save this new file with the same file name as the cert and private key, but WITHOUT any extension - e.g. "PAM_Cert_2018-02-20"
On the second node, upload the new file as "certificate and private key"
On each node, set the new cert to be the operational cert and restart.