I know that I could set-up a slave server, but that would be not as
transparent s0 I'd prefer my idea of havingslapd -h
ldaps://192.168.10.1:636/ ldaps:/192.168.10.1:637/ each using a
different certificate.

I did so: I put two ldap slave servers (server-server-new and server-old). On the server-old I put the old certificate on the server-new I put the new certificate.

The old applications I point to the server-old and the other applications I use the server-new.

Sincerely, jarbas