The Bastion requires SSL certificate. Either in .pfx format or .crt + .key format. In order for the Bastion to be able to use the certificate the Private Key password has to be supplied (it can be encrypted).
The certificate should be signed by a public Root CA. This is optional if using a reverse proxy in front of the Bastion with SSL offloading capabilities since the load balancer could ignore the certificate being not valid.
The certificate needs to have Skype for Business addresses in its “Subject Alternative names” section.
When using EWS capabilities the certificate also needs to have the EWS and Autodiscover addresses.
There is no connection between the Edge certificate to Bastion certificate!