Certificates are a chain of trust - it's very likely that you just don't trust 
your own SSL certificate authority.  For me, the file where the trusted 
certificate authorities is /etc/pki/tls/certs/ca-bundle.crt - adding your CA 
certificate (my system default is /etc/pki/CA/cacert.pem) to there will trust 
it.

If you are also listening on ldaps (not starttls, that's different), you can 
see how openssl is trying to verify the certificate through "openssl 
s_client -connect <myhost>:<mysport>".  Once that returns OK, ldaps should 
work.

Also it's worthwhile to mention http://www.cacert.org/ here - it's a free 
certificate authority that you can use to sign certificates that other people 
will be able to trust (once they import cacert's certificate, that is)

I can't recommend any LDAP books as I learned the hard way...

-Dave

On Monday 07 April 2008 12:13:31 pm Chris Frederick wrote:
> ldap_start_tls: Connect error (-11)
>          additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed