As always different peoples setups may need different solutions but I can describe my working OD Master + OS Replica setup and you can see if that helps guide you.
I have a self-signed rootCA that I have created, using that I have then created individual server certificates for each server, the server certificates use the cn (Common Name) matching the fully-qualified-domainname of the server, so a server called odmaster.domain.com has a certificate with the common name of odmaster.domain.com and the replica server with a fqd of odreplica.domain.com has a certificate with a common name of odreplica.domain.com
When adding the certificate to each server I have to add the private key, the matching (public) certificate, and a copy of my self-signed rootCA certificate, this is a total of three items, two of which are different for each server. After adding these to the server I set the server to use the added server certificate for encrypting all services including of course Open Directory. Because both servers use and trust the same rootCA certificate they will 'trust' each other.
As is always the case you must have a correctly setup DNS setup with both forward and reverse records correctly setup. This is best tested by running the following command in Terminal.app
sudo changeip -checkhostname
Some people may use purchased server certificates and some people may use wildcard certificates, I did not use either of these.