Hi there, I’m searching where to define the trusted root ca for validation of the SSL certificate on ldaps connections (FR 3.0.12 with CentOS 7). I added the root ca to the system and tested ldaps connection with 'openssl s_client -connect my_ldap_server_IP:636 -CApath /etc/pki/tls/certs‘ and it returns 'Verify return code: 19 (self signed certificate in certificate chain)‘. Then I tested the trusted root ca’s at the system to be sure the correct ca’s are there with ... awk -v cmd='openssl x509 -noout -subject' \ '/BEGIN/{close(cmd)};{print | cmd}' \ < /etc/pki/tls/certs/ca-bundle.crt … and the CA is listed. Am I doing something wrong or is it a OpenSSL issue? Do I have to (or is it possible to) define the trusted root ca within Freeradius? I also didn’t quite understand what the tls section in mods-enabled/ldap is for. As far as I know ldap clients don’t need a client certificate except the LDAP configuration requires it. And in my case it isn’t. When I let ‚ca_file‘ point to my root ca, i get the following: TLS: could not add the certificate '/usr/local/etc/raddb/certs/cacert.crt' - error -8018:Unknown PKCS #11 error.. TLS: /usr/local/etc/raddb/certs/cacert.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error.. TLS: could not perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. I have to admit I’m not practiced with PKI. Thanks so much for help!