It's best practice (i.e. very strongly recommended) to leave "require strong auth" alone, which defaults to yes. Have you seen this? It goes through some of the potential issues with certs. https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html