Certificates

We can consider buying a legitimate certificate, rather than home-brew ones:

"You need a key and a certificate to operate your secure server — which means that you can either generate a self-signed certificate or purchase a CA-signed certificate from a CA. What are the differences between the two?

A CA-signed certificate provides two important capabilities for your server:

• Browsers (usually) automatically recognize the certificate and allow a secure connection to be made, without prompting the user.
• When a CA issues a signed certificate, they are guaranteeing the identity of the organization that is providing the webpages to the browser."[1]

The certificate used for LDAP is located at /etc/openldap/root_dn.crt. Do we use the same certificate for everything? If that's only for LDAP then there's no benefit to buying one from an authority.