Noted about the activity log details -- that is misleading and we should fix that :)
For the cert upload problem, it's hard to say what is going wrong without knowing more specifically about your certificate and domain name. I suggest opening up a support case for assistance with that.
For your second question -- short answer is yes and no, hehe. If you expect any on-prem user to use LDAPs in any way, you need password hash sync. Since you are using only cloud users for LDAP turning on password hash sync will not be necessary, but I would say that your scenario is pretty unique. For you I would also recommend configuring scoped-sync to sync only that user into AAD-DS to avoid syncing unnecessary objects into AAD-DS.
However, if you are already syncing on-prem passwords into AAD using AAD Connect, when you turn on AAD-DS the password hashes we use for AAD-DS WILL sync to AAD. This goes for all passwords being synced regardless of whether or not the user is synced to AAD-DS. If you do not already sync passwords then you do not need to do so if you plan to use only your cloud account.
Erin Greenlee
Program Manager
Azure AD Domain Services