Since most people probably only use self-signed certificates for their LDAP servers and may not have access to the raw certificates directly, I thought I'd post this useful bit of info.
You can retrieve the certificate directly from the LDAP server openssl s_client -connect ldap.example.com:636 -showcerts Copy the CA certificate piece of the response to cacert.pem part (in between BEGIN and END) Now openssl verify -CAfile cacert.pem cacert.pem If this does not return cacert.pem: OK then you probably copied the wrong part. Try again. This cacert.pem can then be used for your tls CAfile configuration elements - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html