Third-party VPN certificates have always been rather tedious on Check Point. First, you must create a Trusted CA, then a subordinate CA to get the entire chain trusted on your management server. Then you have to create the CSR based on this, get it signed, and then import and have it trusted.
I don't think you can utilise the same certificate on multiple gateways, as you will have to start with a new CSR per gateway/cluster.
This process is much easier and seamless with the Mobile Access blade enabled. In Mobile Access, you can simply import .p12 directly without jumping through all the other hoops:
But I'm not entirely sure if the certificate you import into the Mobile Access portal will be available to choose as a certificate for Site-2-Site IPsec VPN. When you jump through the hoops not using Mobile Access, your certificate will be available for Site-2-Site IPsec VPN and Remote Access. Not entirely sure if that is the case when using Mobile Access or if it will be available for Remote Access only.
Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME