A site moved, so the IP addresses of all servers changed.

At this point ZEN11.sp1 was still running smoothly, even though the IP
was still the old (wrong) one (still bound at the NW6.5.8 server)

As just few days later the "Tree Organizational CA" expired (Netware,
deleted, recreated, all server certifikates PKIDIAG fixed + tckeygen)

Now ZEN cannot connect to it's LDAP source any more. In the ZEN center
I cannot change the settings for the LDAP server under "User Source".
As soon, as the new (correct) IP address is entered and "OK", I get an
SSL error. the dialog still presents the old, expired certificate.

Also trying to add the same and another edir server as a 2nd source
LDAP server fails:

The wizard cannot continue for the following reason(s):
Unable to obtain a valid certificate for SSL communications using the
provided connection information. Please verify that the address and
port are correct and that the LDAP directory has been configured with a
valid certificate.

This rootcert.der was added to the "trusted root certificate store" of
the 2008 (R1) server hosting ZEN11 (\\server\sys\public\rootcert.der),
accessing the iManager of the LDAP server presents, that the
certificate and certificate chain are OK and installed properly.

using the LDAP browser of Jarek Gawor to connect to the very same
server I get this

Do you want to trust the following CA certificate:

subject: OU=Organzational CA,O=e_tree
Valid from: Thu Sept 27, 13:45:18 CEST 2012
Valid from: Thu Sept 27, 13:45:18 CEST 2022

After accepting the cert, the LDAP access with this tool is working
perfectly fine.

What do I miss?

IT-Beratung Rudolf Thilo
Schweinfurter Str. 131
97464 Niederwerrn