See the pre-req in the official doc:
Enable Secure Communication Between App Volumes Manager and Active Directory
To get the .crt, you open up Certificates snap-in with MMC. You find your domain certificate and any sub-cas (Hopefully you are pushing it through GPO) and export it to crt file.
Using openssl to convert to pem. see the section Converting Using OpenSSL
https://www.sslshopper.com/article-most-common-openssl-commands.html
Windows version of openssl