hi, i need your help ..

i am trying to configure my ldap-server(s) to use a dedicated certificate,
created with my own (edirectory) ca. however, i can't get tls up and running
with my own certificate. the default dns-certificate (SSL CertificateDNS) does
the job tough ...

this is the certificate i want to use:

Name Value
Certificate name: myCompany_eDir_LDAPCert
Key size: 2048
Key usage: Key encipherment
Key usage: Digital signature
Key usage extension: Is not critical
Allow export of private key: No
Extended key usage: Server
Extended key usage extension: Is not critical
Subject name: .o=myCompany.CN=myServername.myDomain.local
UTF8 encode names: No
Subject alternative name: IP: 10.252.130.211
Subject alternative name: DNS: mDNSAlias.myDomain.local
Subject alternative name: DNS: myServername.myDomain.local
Signature algorithm: SHA 256-RSA (SHA2)
Effective date: Friday, July 7, 2017 8:48:00 AM CEST
Expiration date: Sunday, July 7, 2019 8:48:00 AM CEST
Trusted Root: Your organization's certificate

the only difference to 'SSL CertificateDNS' is the SAN mDNSAlias.myDomain.local
and 'Server Authentication' as extended use. for testing reasons even tried to
omit both those values. without success.

to excluce a CA misconfiguration i deleted and recreated 'SSL CertificateDNS',
still did work.

In my trace i see the following lines starting the NetIQ SecretStore LDAP
Transport with my custom certificate (interestingly no exception number with
SSL_CTX_use_KMO):

13:53:19 2FC LDAP: LDAP Agent for NetIQ eDirectory 9.0.3 (40005.15) started
13:53:19 2FC LDAP: Updating server configuration
13:53:19 2FC LDAP: Work info status: Total:2 Peak:2 Busy:0
13:53:19 AFC LDAP: Listener applying new configuration
13:53:19 AFC LDAP: LDAPURL: ldap://:389
13:53:19 AFC LDAP: LDAPURL: ldaps://:636
13:53:19 AFC LDAP: Listener setting up cleartext port 389
13:53:19 AFC LDAP: Listener setting up TLS port 636
13:53:19 AFC LDAP: SSLv3 disabled for secure LDAP connections.
13:53:19 AFC LDAP: TLS HIGH ciphers required for TLS connections
13:53:19 AFC LDAP: TLS initialization successfully completed
13:53:19 AFC LDAP: SSL_CTX_use_KMO failed. Error stack:
13:53:19 AFC LDAP: SSL_CTX_use_KMO failed. Error stack:
13:53:19 AFC LDAP: Disabling TLS services because of configuration failure


thanks for your input, florian