Troubleshooting Tip: LDAPS connection failing with 'Cert error 66, EE certificate key too weak'

sakuraju · ‎01-04-2026

Description

This article describes an issue that occurs where the connection status shows 'Can't contact LDAP server' when 'Secure Connection' (LDAPS) is enabled under LDAP Server settings.

Scope

FortiGate v7.4 and above.

Solution

In the packet captures, the client (FortiGate) sent 'Alert (Level: Fatal, Description: Bad Certificate)' to the server.

This alert message is sent when FortiGate fails to validate the Server certificate sent by the LDAP server.

fnbamd debug output:

[1407] __ldap_tcps_connect-Start ldap conn timer.
[1686] __verify_cb-Cert error 66, EE certificate key too weak. Depth 0. Subject '/CN=ornstein61.labtest.local'
[1374] __ldap_tcps_connect-tcps_connect(192.168.1.2) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).
[1686] __ldap_error-Ret 5, st = 0.
[1723] __ldap_error-
[1521] __ldap_tcps_close-closed.
[1611] __ldap_conn_stop-Stop ldap conn timer.
[2650] fnbamd_ldap_result-Error (5) for req 61714574548994

To resolve this issue, regenerate the server certificate with a minimum of a 2048-bit RSA key.

Related articles:

Technical Tip: LDAPS/STARTTLS certificate issuer enforcement

Troubleshooting Tip: Alert (Level: Fatal, Description: Bad Certificate) when configuring LDAPS

Troubleshooting Tip: LDAPS connection failing with 'Cert error 66, EE certificate key too weak'

You are leaving our website