1. Install CA, configure as root CA.
2. On your CA Server launch the Certification Authority Management Console > Certificate Templates > Right Click > Manage.
3. Locate the Kerberos Authentication certificate > Make a Duplicate.
4. General Tab > Call it ‘LDAPoverSSL’ > Set its validity period > check to publish the cert in AD.
5. Request Handling Tab > Select ‘Allow private key to be exported’ > Apply > OK. Close out of the templates.
6. Right click Certificate Templates again > NEW > Certificate Template to issue.
7. Locate and select the ‘LDAPoverSSL’ certificate > OK.
8. Now logon to a DOMAIN CONTROLLER > Windows Key+R > mmc {Enter} > File > Add/Remove Snap-in > Add in the Certificates Snap-In > Computer account > Finish > OK > Expand Certificates > Personal > Certificates > Right Click > All Tasks > Request New Certificate > Next > Next.
9. Select the LDAPoverSSL Certificate > Enroll > Close the Certificate Snap-in.
10. In my case I need my device to ‘Trust’ the CA, So on the CERTIFICATE SERVER > open a command window and run the following command;
certutil -ca.cert ca_name.cer
11. It will display the certificate PEM on the screen and should complete successfully.
12. You will notice my command was run while I was on the root of the C: Drive, yours will probably be C:Users{your-username} go there and retrieve a copy of the ‘Root Certificate’.