The only thing required for Windows 2012 R2 Server LDAP over SSL is a trusted certificate in the personal store for the local machine (not user) and a REBOOT.
You do not need an Active Directory Certificate Authority or a publicly trusted certificate that matches the host name in the Subject or Subject Alternative (DNS) names. What this means is that you can use a public wildcard certificate; or a private wildcard certificate as long as your domain controllers trust the authority that issued it (put the certificate in both your trusted root and personal stores for the domain controllers).
The only other thing I did was add it to the SSL binding for the default site in IIS and then REBOOT. You absolutely have to reboot.
You also have to do this on ALL of your domain controllers.
You can test by using LDP on your domain controller. Connect to the domain controller with the SSL box ticked and the port set to 3269. Just when you think it’s going to time out, it should connect. If not, REBOOT.