Yes, that is correct.
There's a few ways you can approach this, but the main options are:
- generate everything at once using
instances.yml(on a single machine) - explicity generate a CA, and then generate a certificate for each node using that CA (on a single machine)
- explicity generate a CA, copy it to each server (with the key), and then generate a certificate on each node using that CA. (I'd discourage this though, because it means your CA key is copied to lots of machines and that opens up an unnecessary attack vector).