Using the ADD-ROLE token, driver processes the variable properly and adds it to the string for the role DN, but the driver generates the following error

Code:
DirXML Log Event -------------------
     Driver:   \AEHNIDV\SERVICES\IDMDriverSetAEHN\eDir-VAULT-to-AEHN
     Channel:  Publisher
     Status:   Error
     Message:  Code(-9205) Error in vnd.nds.stream://AEHNIDV/SERVICES/IDMDriverSetAEHN/eDir-VAULT-to-AEHN/Publisher/pub-etp+Entitlem
ent+by+SOURCE+DN#XmlData:48 : Couldn't request assignment of role: 'CN=TESTROLE,CN=Level30,CN=RoleDefs,CN=RoleConfig,CN=AppCon
fig,CN=UserApplication,CN=IDMDriverSetAEHN,O=SERVICES' to identity: 'CN=testuser,OU=USERS,O=VAULT': com.novell.nds.dirxml.soap.UserA
ppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX 
path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to request
ed target
Checked the Vault server and USERAPP server for expired certs in edir, found that the userapp server certs had expired, renewed them, restarted edir and tomcat , still received the above error.

any ideas?

thanks in advance
Dave G.