TLS/Certificate Problem Openldap

[Steffen Knauf <Steffen.Knauf@renderforce.de>]

Hello,

i try to configure openldap with TLS/SASL. But i only get the same Error 
( TLS certificate verification: Error, unable to get local issuer 
certificate)
Perhaps someone have an idea what wrong with the certificate.

Version : $OpenLDAP: slapd 2.3.43
OS: SuseLinux Enterprise 10

Ldap Server Output:

-----------------------------------------------------------
connection_read(12): checking for input on id=31
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=31
connection_read(12): checking for input on id=31
TLS certificate verification: depth: 0, err: 20, subject: 
/DC=liga01/ST=Deutschland/L=Munich/O=it/CN=schmidt.muc.liga01, issuer: 
/DC=liga01/ST=Deutschland/O=it/CN=schmidt.muc.liga01
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no 
certificate returned s3_srvr.c:2482
connection_read(12): TLS accept failure error=-1 id=31, closing
connection_closing: readying conn=31 sd=12 for close
connection_close: conn=31 sd=12
-----------------------------------------------------------

I create the certs like the following tutorial:

http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185


/etc/openldap/slapd.conf:
-----------------------------------------------------------

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3
TLSCertificateFile /etc/ssl/zertifikate/servercrt.pem
TLSCertificateKeyFile /etc/ssl/zertifikate/serverkey.pem
TLSCACertificateFile /etc/ssl/zertifikate/demoCA/cacert.pem
TLSVerifyClient demand
-----------------------------------------------------------

/etc/openldap/ldap.conf:
-----------------------------------------------------------
TLS_CACERT /etc/ssl/zertifikate/demoCA/cacert.pem
TLS_REQCERT demand
-----------------------------------------------------------

/etc/ldap.conf:

-----------------------------------------------------------
ssl     start_tls
-----------------------------------------------------------

greets

Steffem