I changed those 2 settings, now I am not able to log in, but I am able to connect to ldaps over 636 using ldap.exe from the same pc. In doing some research I found some post that seem to be related to this where you indicated the Root CA does need to be imported into the java truststore, has that changed?
https://discourse.igniterealtime.org/t/ldap-ssl-issues-in-openfire-3-10-2/60768/8