• The certificate is retrieved correctly when changing the Active Directory identity source connection in the Operations Console from LDAP to LDAPS.
• The entire certificate chain has been imported.
• All the certificates have been verified. They are all correct, and none are expired.
• When testing the connection from RSA Authentication Manager to Active Directory from the Operations Console the connection fails with error 'Test connection failed. One or more directory connections is incorrect', as shown below:

• A packet capture shows that the test connection failed with a bad certificate error: 

In the /opt/rsa/am/server/logs/ImsTrace.log, the following error is found at the time of test connection:

[[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'], (LDAPConnectionTesterImpl.java:231), 
trace.com.rsa.ims.ldapslotmgt.impl.LDAPConnectionTesterImpl, 
ERROR, am84p.vcloud.local,,,,LDAP Server connection test failed
javax.naming.CommunicationException: 192.168.20.110:636[Root exception is javax.net.ssl.SSLException: Certificate not verified.]
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:70)
        at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:1)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Certificate not verified.
        at com.rsa.sslj.x.aI.b(Unknown Source)
        at com.rsa.sslj.x.aI.a(Unknown Source)
        at com.rsa.sslj.x.aI.a(Unknown Source)
        at com.rsa.sslj.x.ap.c(Unknown Source)
        at com.rsa.sslj.x.ap.a(Unknown Source)
        at com.rsa.sslj.x.ap.j(Unknown Source)
        at com.rsa.sslj.x.ap.i(Unknown Source)
        at com.rsa.sslj.x.ap.h(Unknown Source)
        at com.rsa.sslj.x.aT.startHandshake(Unknown Source)
        at com.sun.jndi.ldap.Connection.createSocket(Connection.java:393)
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
        ... 18 more
Caused by: com.rsa.sslj.x.aL: Certificate not verified.
        at com.rsa.sslj.x.bh.a(Unknown Source)
        at com.rsa.sslj.x.bh.a(Unknown Source)
        at com.rsa.sslj.x.bh.a(Unknown Source)
        ... 28 more
Caused by: java.security.cert.CertificateException: KeyUsage does not allow digital signatures
        at com.rsa.sslj.x.ck.checkServerTrusted(Unknown Source)
        at com.rsa.sslj.x.aF.a(Unknown Source)
        ... 31 more

1. Create a new root certificate using the following command on the server with openssl.  

$ openssl genrsa -aes256 -out ca.key 4096
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

1. Copy the resulting ca.crt to the Active Directory server. 
2. Open the Microsoft Management Console by clicking Start > Run > mmc.exe.
3. Click File > Add/Remove Snap-ins. 
4.  In the Add or Remove Snap-ins window, select Certificates, and click Add.
5. Import the ca.crt from step 1 to the Trusted Root Certification Authorities certificate store.
6. Create a file named req.inf, which should be like the example below, but with your AD server FQDN listed:

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=<ACTIVE_DIRECTORY_FQDN>"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication

7. Open a command prompt on the AD server.
8. Run the following command to create the private key:

C:\> certreq -new request.inf client.csr

9. Copy the client.cst to the server with openssl.
10. Create an extension file named v3ext.txt, like the example below. This ensures that the key usage is set to true.

keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectKeyIdentifier=hash

10. Run the following command to create the certificate:

openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -set_serial 01 -out client.crt

11. Copy the certificate back to the Active Directory server.
12. From a command prompt, run:

certreq -accept client.crt

13. Verify that the certificate is now present under Personal Certificates in the MMC and has a private key that corresponds to it.
14. Retrieve the certificate and import to into the Operations console again.