Replacing the CA key pair and as such, the different signed certificates will break the trust between cluster endpoints. If you don’t have any nor don’t have plans, you can use your own company CA, but you’re on your own with that. See the discussion here: Own CA for Icinga Cluster/API communication?
My question still stands: How does the current Nginx config look like which terminates TLS up front and should proxy the requests towards Icinga?
Cheers,
Michael