1. Ensure that you are not using any parameters in the JAVA_OPTS variable that refer to your keystore. For example,
-Djavax.net.ssl.trustStore="/my/key/store"
The JAVA_OPTS variable is normally located in the Crowd distribution's (not EAR-WAR) apache-tomcat/bin/setenv.sh or setenv.bat file (depending on the OS you are using). Remove these references and restart Crowd.
2. Run this command on the Crowd server, replacing <ip address of LDAP server> with your LDAP server's IP address:
openssl s_client -connect <ip address of LDAP server>:636
3. Save the certificate (including the BEGIN CERTIFICATE and END CERTIFICATE lines) of the response into a local file called tmp.pem.
4. Run this command on the local tmp.pem file. This should return an MD5 Fingerprint value.
openssl x509 -fingerprint -md5 -noout -in tmp.pem
5. Run this command on the Crowd server. This assumes you are using the default keystore and the $JAVA_HOME (or for Windows %JAVA_HOME%) variable has been set. If not, please specify the correct keystore path.
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
6. Ensure that the MD5 Fingerprint from step 3 is listed in your keystore. If it is not, you will need to import the tmp.pem certificate into your keystore.
For additional information on SSL services and a great testing tool called SSLPoke, please visit this guide. Although this guide was written for JIRA, it is still extremely useful for troubleshooting SSL-related Crowd issues.
If you continue to experience issues with your SSL configuration and Crowd, please open a new support issue. Attach the CROWD APPLICATION DIRECTORY/atlassian-crowd.log file and the output of the tests above to the support issue.