Generating LDAPS TLS certificates on the ECS portal
Follow the steps described in Generating a PKCS #12 to generate a LDAPS TLS certificate for each domain. Specifically:
Select the issuing CA described in Creating an Entrust-hosted Certificate Enrollment Gateway for WSTEP
Use the multiuse-p12-key-encipherment-client-server certificate profile described in Multiuse certificate profiles.
The CN in the subject DN must match the FQDN of the Domain Controller (for example: dc.example.com).
The validity period cannot exceed 397 days.
The Subject Alternative Names must include a DNS matching the FQDN of the Domain Controller.