I got this to work the following way:
I've put the CA certificate of the PKI that signed my LDAP certificate in /usr/local/share/certs/ca-bundle.pem
Then I selected no encryption in the advanced page for the ldap configuration and added the following parameters in the auxiliary field for sssd.conf:
ldap_tls_cacert = /usr/local/share/certs/ca-bundle.pem
ldap_id_use_start_tls = true
tls_reqcert = demand
This configuration does not only work, It is also a lot more secure than the options that disable TLS altogether.
The Freenas GUI now seems to offer limited CA capability, but does not offer you the option to use your own PKI, unless you want to import you PKI's public AND private key into freenas. This seems to be a rather silly design. There is absolutely no need for freenas to have the private key of my PKI to verify the ldap server certificate.
Edit:
Actually importing a CA, can be done without providing the private key. The certificate selection field in the ldap advanced tab is to point at the CA who signed your ldap's server certificate. You need to import the CA certificate under: System > CAs.
The user guide suggests that you need to select the certificate of the LDAP server in that field, but I don't think that's true.