In some cases, clients will be deployed without TLS certificates and will connect to the peer when the peer uses TLS.
In this kind of scenario, the peer would send a certificate request to the client, and it will not send anything back - and then the discovery service would reject the peer's connection.
In order to ensure the clients will be able to use the discovery service in spite of lack of TLS certificate, we can just have them auto-generate one and self-sign it.
Then, the peer would obtain the certificate (but not verify it!) and a mutual TLS handshake will take place, which would allow the client to authenticate to the peer.
Note - for Service Discovery, this is required even when peer is not setup for mutual TLS, that is, even when the peer has clientAuthRequired=false.