In a given environment all domain controllers have internal CA issued Certificates trusted by clients and clients mostly use LDAPS connection. In change auditor documentation it is mentioned that all domain controllers must have "public-key certificate". Change auditor coordinator server does not have certificate issued by CA and when installing agent on domain controller with SSL option it fails to connect to coordinator.
Application event log showing bad certificate from coordinator. Documentation does not define certificate requirements for coordinator server at all.
The section "SSL certificate configuration and deployment" in the Change Auditor Installation Guide says that a public key cert is required on the host of each Change Auditor component that makes Active Directory requests to a domain controller. Here "component" means the CA coordinators, clients and agents that were configured to use SSL for LDAP authentication at installation time. That is because the DC (the LDAPS server) must trust the requester (the LDAPS client) and vice-versa. So yes, you'll need to have your CA issue certificates to all computers that host a Change Auditor coordinator, client or agent that is configured to use SSL for requests to DCs. Also, CA Agents communicate to Coordinators with a different protocol, WCF. That is not controlled by the install-time SSL option. Those connections are fully encrypted in CA 7.5.0 and up with the default authentication type. Certificate authentication is available there as well but it's more complex and really not necessary for privacy purposes.
