Short answer: You are using an invalid SSL certificate. Longer Answer: SSL server certificates must be capable of key exchange. The cert you are using may be a signing only certificate. This would make it a perfectly good cert for client authentication. It would also make it an acceptable certificate for DHE_ type diffie Hellman server operations. It does not work for RSA SSL server operations. You need to either 1) don't the key usage extension, or 2) specify Key Encipherment (or Key Exchange). The problem is that the MSADCA by default issues these types of certificates, presumably because all of the MS clients are configured to "just work" with them. Darjo Gregoric wrote: >Hi, > > > >I have a problem with AD sync. I have established synchronization without >SSL and works fine, but when I use SSL, connection is not established and I >receive error: > > > >Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape >Portable Runtime error -8179 (Peer's Certificate issuer is not recognized.) > > > >AD machine name is suzy. > > > >I have exported CA and imported it on Directory server. > > > >Certutil -L -d . gives: > > > >CA certificate CTu,u,u > >suzy CT,, > >Server-Cert u,u,u > > > > > >Did i miss something? > > > >Is there any HOW TO for this type of configuration? > > > >Regards >Darjo > > > > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20051019/d4c0c060/attachment.bin
