Certificates

We can consider buying a legitimate certificate, rather than home-brew ones:

"You need a key and a certificate to operate your secure server — which means that you can either generate a self-signed certificate or purchase a CA-signed certificate from a CA. What are the differences between the two?

A CA-signed certificate provides two important capabilities for your server:

• Browsers (usually) automatically recognize the certificate and allow a secure connection to be made, without prompting the user.
• When a CA issues a signed certificate, they are guaranteeing the identity of the organization that is providing the webpages to the browser."[1]

The certificate used for LDAP is located at /etc/openldap/root_dn.crt. Do we use the same certificate for everything? If that's only for LDAP then there's no benefit to buying one from an authority, because we're the ones that copy it to each client.