Transport security

between clients and servers:

--cert-file ~/certs/cert_with_chain.crt 
--key-file ~/certs/private.key

Between cluster nodes:

--peer-cert-file ~/certs/cert_with_chain.crt
--peer-key-file ~/certs/private.key

Authentication

Between clients and servers:

--trusted-ca-file ~/certs/clients/client-ca.crt
--client-cert-auth

Each client needs to have its own cert, otherwise it fails to connect. If the above lines are not used, then a client should be able to use basic authentication such as username/password to connect.

Between cluster nodes:

--peer-trusted-ca-file ~/certs/peers/peer-ca.crt
--peer-client-cert-auth

This means that the cluster nodes need to be able to verify each others certs, and offer up their own one for authentication.

for more info see 1.