We have fully reconfigured the certificate generation and rotation on our clusters. Application and database clusters can now communicate with each other again.
By this new and clean setup we think the chance of the issue coming up again is low. We are actively monitoring the situation to see if the new configuration is holding up as expected.