Using the PKI to generate certificates is NOT supported for production systems, as documented here:

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

I can't stress that enough.  It is provided for convenience for testing purposes.  For production systems or test systems that require proper security, please use certificates/keys specified from the source determined by your security admins, and make sure the procedures they specify for safeguarding the keys are in place and adhered to.

This is sort of the minimum for just enabling SSL/TLS on apache.  Please see apache documentation for further configuration options, including but not limited to selecting ciphersuites and configuring client verification:

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

Also, please recall that private web server is provided for convenience and that for production purposes you should install a CSP/Web Gateway into a full web server.  Per this documentation, quote:

When installing InterSystems IRIS, this private version of Apache is installed to ensure that:

1. The Management Portal runs out of the box.
2. An out-of-the-box testing capability is provided for development environments.

The PWS is not supported for any other purpose.

For deployments of http-based applications, including REST, CSP, Zen, and SOAP over http or https, you should not use the private web server for any application other than the Management Portal; instead, you must install and deploy one of the supported web servers. For information, see the section “Supported Web Servers” in the online InterSystems Supported Platforms document for this release.

end quote.

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

Howdy!

1. InterSystems has tested the new settings related to these Microsoft changes (signing and channel binding) and seen that simple binds to Active Directory servers from InterSystems instances will fail if not using TLS.  Enforcement of these settings is up to Microsoft and subject to change by them, so knowing how and when such changes might be made without manual intervention would be a question best addressed to Microsoft.

2. Regarding your particular set up, a CA file should be able to contain multiple CA certificates.  I’ve tested putting the right CA certificate for the server I was connecting to after a different CA certificate in the file and found that the connection still worked, so it appears capable of going through more than one.

What might be a concern is that hostname checking is done by the LDAP connection, so the subject name for the certificate the server presents needs to match the hostname the client is configured to connect to.  If your three different AD machines have three different certificates (which would be the case if they were signed by three different CAs), then you might want to check that the subject names for the certificates all match the actual configured hostname in the LDAP configuration on the instance.  I’m fairly certain that a match for the subject alternative name extension for the certificate (instead of the subject name field itself) would suffice, but I have not tested it.

If you’d like to explore this in more depth, we encourage you to open a WRC case.