OK, so: yes off course you will have to delete the old object and create a cluster object including each of needed appliances. By that: you'll have to redo SIC.
And, a new certificate will be generated and pushed at the first policy installation on each gateways' cluster.
But you can create on your own and then import it. By that, you will be able to find its fingerprint and updating the trac.config of your clients before you're cutover.
You'll find it the IPSec VPN section of the cluster object, such as:
and you'll have to place it in the internal_ca_fingerprint field of the trac.config file:
Information Security enthusiast, CISSP, CCSP