This is our scenario:

We have several mainframe apps that use secure LDAP into our eDir tree.
Currently, the DNS name points to our master replica server. Issue arise
when this server has a problem.

Since we have implemented IDM, we want to switch the LDAP authentication to
out AUTH tree, with 3 servers providing LDAP authentication. The problem is
that this requires 3 unique certs.

I have created a DNS name with multiple IP addressed that match the
servers, but I cannot seem to be able to get the LDAP Server objects to
bite on any cert other than one generated with that server name.

I've tried generating a custom KMO using the DNS name in the host name
field, but can't seem to get it to replace correctly via the REPLACE option
on the trusted root tab of the SSL CertificateDNS for the 3 servers.

Any ideas??