Certificates are a chain of trust - it's very likely that you just don't trust your own SSL certificate authority. For me, the file where the trusted certificate authorities is /etc/pki/tls/certs/ca-bundle.crt - adding your CA certificate (my system default is /etc/pki/CA/cacert.pem) to there will trust it. If you are also listening on ldaps (not starttls, that's different), you can see how openssl is trying to verify the certificate through "openssl s_client -connect <myhost>:<mysport>". Once that returns OK, ldaps should work. Also it's worthwhile to mention http://www.cacert.org/ here - it's a free certificate authority that you can use to sign certificates that other people will be able to trust (once they import cacert's certificate, that is) I can't recommend any LDAP books as I learned the hard way... -Dave On Monday 07 April 2008 12:13:31 pm Chris Frederick wrote: > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed