Active Directory TLS

The certificate will enable LDAPS on port 636. Active directory uses sign and seal and is already secure when using port 389. Yes they can coexist at the same time

This article should help explain LDAPS. http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

This article explains how to use a third party certificate to enable LDAPS https://support.microsoft.com/en-us/kb/321051

According to this article the certificate must be issued to the FQDN of the server. So a wildcard certificate might not work https://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx


You don't need a commercial certificate to secure LDAP in Active Directory; all computers accessing it will by definition be domain members (*), thus you can use Windows' own Certificate Services to build an AD-integrated certification authority, which will be automatically trusted by all users and computers in the domain.

(*) Should you need to perform LDAP queries from a non-domain-joined device, you'll simply need to import the root certificate of your CA into its store of trusted certificates.