got it.

when the certificate gets created the CN of the ldap-object is a combination of custom display name (of the cert) and the servername (e.g. cn=mycertificate - edirserver1). for whatever reason most certificates created with imanager (i tested different versions) have not one whitespace char, but 2 or three of those between both parts of the CN (e.g. cn=mycertificate - edirserver1).

when choosing the server certificate ldap should use only the first part is presented in the drop-down (e.g. mycertificate). i assume at startup edir tries to locate the object by searching for cn=<name> and adds ' - <servername>', thus not being able to locate the 'real' certificate.

so rc=1219 of GetServerKMOInfo means: 'could not find server certificate'.

florian