instances.yml has covered all your nodes, then you don't need to run certgen again.
Generally, speaking you should only run
certgen on a single node, as it generates its own CA, and you need all the node certificates to be signed by that CA (and copying the CA key to all your nodes isn't a great idea).
You can generate multiple certs at once as you have done, or run it multiple times to generate a single node (but using the same CA each time), but just run it from 1 server.
is that all I need to do
You also need to make changes to
elasticsearch.yml (which I assume you know, but it's good to make sure)