> System truststore? do you mean the JRE cacerts? $JRE_HOME/lib/security/cacerts is the default location, yes, but it can be customized via system properties (javax.net.ssl.trustStore and friends).
> when i checked this it seems to have the self-signed cert in it. I don't see any evidence that the LDAP cert is self-signed. It's clear you have some kind of trust problem, but there's not enough information to pinpoint. I would sanity check the cert presented by the directory: openssl s_client -connect directory.example.com:636 -showcerts Verify the head cert is in your truststore. You can also use the above to get the pem-encoded cert for import if it happens to be different. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
