It’s a little different, because there’s only 1 certificate for all the outgoing OPC UA connections.
The Modbus TLS spec embeds a client-specified (!!) operator role in each client certificate, which means not only do you need one per connection, you can’t sensibly use self-signed certificates, you have to deal with having a CA-signed and issued certificate per connection from a CA that the Modbus TLS server trusts.