With high-security SQL Server configurations we usually want to encyrpt the data-in-transit between SQL Server and the application servers. It's a little more trouble with a Failover Cluster Instance (FCI) than a stand-alone instance, and this post is primarily just a link to help me make sure I can easily find this article:
I'll point out a critical factor in the article is that
you must be logged into the server with the SQL Server service account
when you open the SQL Server Configuration Manager to select the certificate, if the SQL Server service account is a domain account (and it should be if you're complying with the DoD Database STIG).
Also, a community comment contains another critical element, that
you have to edit the registry on each node
. See the note for more info and links to the details.