Thanks Ken and Emma,
It certainly appears that something changed with the certificates, but if this is the case, whatever changed must have been automatically propagated to Domain joined Windows systems without human intervention (is this possible?)
- or -
somehow in the conversion the certificates were given a 6 month time to live. Just musing here...
I've checked my documentation and the certificates which were no longer working were exported in DER format and converted to PEM 6 months ago.
We use different certificates for https - a Commercial wildcard - here I exported a .pfx from Windows and converted it to a .pem and .key file. eg.
openssl pkcs12 -in Wildcard.pfx -clcerts -nokeys -out *.domain.pem
openssl pkcs12 -in Wildcard.pfx -nocerts -nodes -out *.domain.key
I also placed the intermediary certificate in my certs directory.
For LDAPS, however, I merely exported the root CA and DC certificates as DER (without private key) and converted them to PEM. eg.
openssl x509 -in local-SERVERNAME-CA.cer -inform DER -out servername-ca.local.domain.pem -outform PEMplaced them in the /etc/ssl/certs directory, added the paths to /etc/ldap/ldap.conf, restarted Apache ... And ldaps just worked...
It seemed almost too easy.
@Ken do you recommend a different method and output for conversion - any examples on how to do this?
Regarding LDAPs do you think I should include the private key and intermediary certificates?
Or perhaps I should just let this go, since the system is working now...
Below is a graph showing our active users and why I would very much like to know how to avoid this ever happening again.
Thank you both for your time.
Best wishes
Heli