Many thanks to all replies about this - in the end, I drew up a plan using bits and pieces pulled from the setupssl.sh and the RH manual for DS. It worked nicely. I made a CA cert as per the setupssl.sh script and then generated server cert requests from the GUI, generated the certs on the command-line from the CA and installed the server certs in the GUI. Then I imported the CA cert via the GUI. Everything works. It allowed me to name the certs nicely to instead of all being "server-cert" or whatever. Replication is now working over SSL and client TLS access to any server is working when clients have a copy of the CA cert.
