Certificate requirements for mongoDB replicaset

Is my understanding correct that we need two certificates to properly secure a MongoDB replicaset for client access (assuming we use SCRAM for authentication) from outside of a cluster deployed in Kubernetes:

  1. One certificate is used for encrypting all traffic between replica set members
  2. Another certificate is used for external clients connecting into the database

All the examples I can find on the internet use the same certificate for both. As a result, the SAN field contains internal cluster names. No CA (as of approximately 2015) will issue any public certificate that secures internal domain names which leaves me in a quandary if my assumption above is incorrect.

For #2, I really do not want to manage deploying a private CA root certificate for trust to be accepted. I have customers who will be using our database directly and would ideally like to use a public CA like Digicert or Entrust etc for issuing certificates.