The simplest way is using the MMC certificates. However is it only available for the GUI-based Windows servers. If you are using Core-based Servers, you cannot use the MMC. Or if you prefer, it is also possible using the command line:

Note: To request a SSL certificate on w2k8-w2k8r2, it is recommended to use the default CA template: Kerberos Authentication (typically for Domain controllers – but it requires FW rule TCP 445 from Issuing CA to Domain controllers. We suppose here below, the kerberosauthentication template is published by your enterprise PKI and you enable the Subject Alternative Names too.

Procedure using certreq:

1) from the server: create a request.inf file that contains

;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[RequestAttributes]
CertificateTemplate = KerberosAuthentication
; Omit section below if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
;----------------- end of request.inf -----------------

2) prepare the request:

certreq -new request.inf request.req

3) You must request the certificate using the SYSTEM account on local computer

psexec -s -i cmd.exe

certreq -submit -config “MyissuingCA.mydomain.com\MYCANAME” request.req certnew.cer

and you are prompted to save it locally

4) Install the certificate:

certreq -accept certnew.cer

5) You can test LDAPS using ldp.exe tool

6) This lists the certificates in computer,personal store:  certutil -store My

check certificate store: certutil -verifyStore My

repair certificate: certuil -repairstore My <CertNum>

This lists the templates available to the current computer: certutil -templates > d:\output.txt

I also collected web resources:

Certificate templates overview: http://technet.microsoft.com/en-us/library/cc730826%28WS.10%29.aspx

FW ports for AD CS: http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

Troubleshooting Certificate enrollment: http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

ADCS FAQ: http://social.technet.microsoft.com/wiki/contents/articles/1587.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-frequently-asked-questions-faq.aspx

Enable LDAP over SSL (LDAPS) on Windows 2008 Active Directory Domain: http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html

LDAP over SSL (LDAPS) Certificate: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Event ID 1220 — LDAP over SSL (LDAPS): http://social.technet.microsoft.com/wiki/contents/articles/2979.event-id-1220-ldap-over-ssl-ldaps.aspx

Troubleshooting LDAP Over SSL: http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx

How to enable LDAP over SSL with a third-party certification authority: using certreq utility: http://support.microsoft.com/kb/321051