Running Citrix NetScaler Gateway (NSGW) 11 to access Citrix XenApp 7.6 StoreFront and application servers.

They are authenticating to DSfW on OES11sp2 as the only AD Domain Controller.

In order for NSGW users to get prompted to change an expired password you must use LDAPS for authentication to DC's.
Citrix says that the DC's must have a certificate installed for the NSGW.

How can I install a certificate from the NSGW onto the DSfW server to satisfy the LDAPS connection?
Can I just use openssl to generate the CSR?
If so, where do I put the signed certificate so that LDAP will use it?

Note: I'm using LDAP port 636 on the DSfW server, not 1636.

If internal users authenticate directly to the StoreFront, they do get prompted to change their expired password.
All of the Citrix servers, except the NSGW, are in the AD Domain.