If you are using Certificate Enrollment Gateway with an on-premises CA, you can use your existing CA tools to process the CSR and create the certificate.
The server certificate for Active Directory LDAPS communications must include a valid HTTP CRL Distribution Point.