|System Settings, Defaults, Clusters, and Active Directory Authentication / Configuring Active Directory Authentication|
If you enable SSL on Active Directory servers, user credentials passed between Active Directory and the Vocera Voice Server are always encrypted.
Self-signed certificates—Export the root SSL certificate from each Active Directory server and then add it to the Java keystore on each Vocera Voice Server machine.
Trusted CA certificates—The root certificate (such as one from Go Daddy or VeriSign) likely already resides in the Java keystore on the Vocera Voice Server and you don't need to export it. However, if the CA certificate for your Active Directory server is part of a certificate chain, then you must add each intermediate CA certificate in the hierarchy to the Java keystore on each Vocera Voice Server machine.