Third Party Wildcard Certificate on DCs for LDAPS

I am trying to provide Authentication as a Service to my customers. LDAP authentication is perfect for this however I am not a fan of clear text sessions.... enter LDAPS. Active Directory of course has LDAPS turned on however the certificate used is self or local domain signed. This becomes problematic for various reasons. I cannot require my customers to trust my self or locally signed certificate. A third party certificate that my customers do trust would work but unless I am going to create and purchase a new certificate each time I bring up a domain controller that isn't going to work. Ok... so a third party wildcard certificate SHOULD work, but how do you implement?

I have of course Google'd and have read: How to enable LDAP over SSL with a third-party certification authority and Enable LDAP over SSL - Using Wildcard Cert? and Wildcard Certificate on a DC for LDAPS.

All of those are great but I am still missing something...
What are the exact steps to follow?

Am I simply following the steps at How to enable LDAP over SSL with a third-party certification authority but using CN=*.domain.ext instead of CN=mydc.domain.ext ?


Beside sense of exposing AD DS to internet - called KB 321051 says:

The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:

The Common Name (CN) in the Subject field. DNS entry in the Subject Alternative Name extension.

FQDN requirement means wildcard will not work, or at least usually should not work (as always it depends on client code).