My goal is to enable AD auth on ovirt4. It requires ldaps on my AD. I've found a lot of instructions how to enable ldap over ssl using self-signed cert (e.g. https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority), but they all describe a single domain controller case. How shall I handle situation with two domain controllers? Shall I create certs on each machine or maybe it is reasonable to create a wildcard cert?
Yes, you need to create SSL certificates on both machines. Both domain controllers require SSL certificates because if you connect to the domain name rather than the specific domain controller host name, you could get round-robined to either domain controller so therefore you will need certificates on both of them. Avoid using wildcard certificates, unless you are in a lab scenario, in the PKI world those are considered a major security risk. Furthermore, wildcard certificates are a no-go for domain controller too, because the Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in the SSL certificate in one of the following places:
Please see MS KB 321051 for further details.