There is a good script to make the 389-ds SSL ready. It creates a selfsigned CA and derives certiﬁcates from it. So how does it work?
In the server directory
/etc/dirsrv are at least two subdirs for the administration-server
$assecdir and the real ldap
$secdir (depends on your installation)