Be careful when using Elliptic Curve (EC) certificates for the managment interface of a PAN-OS device (tested up to PAN-OS 9.0).

• If you generate and use a self-signed EC certificate for the managment interface, your browser will probably refuse to connect.
• You have to have the certificate signed by a trusted authority (RSA or EC). You can even generate and trust a CA certificate on the firewall and then use that CA certificate to sign a new certificate for the managemnt interface certificate.

If you want to enforce validation of the certificate for LDAPS, make sure that the server name you put in the LDAP profile matched the Common Name on the certificate. While it is common to use IP addresses for LDAP profiles, you may have to use the FQDN of the LDAP server as this is likely what will be on the certificiate. It would seem that you also have to have the root CA of the trust chain on the Palo but not necessarily marked as a trusted CA.