If you do not have a signed server certificate, OpenSSL can be used to generate a certificate request.
# openssl req -new -nodes -keyout serverkey.pem -out serverreq.pem
The -nodes argument prevents encryption of the private key which is required by OpenLDAP.
If your CA does not support the default pem format of the request, another format can be specified with the -outform argument. For more information about certificate requests, refer to #man req.
Common name (CN) should exactly match the fully qualified domain name (FQDN) of the server where OpenLDAP is installed.