I cant start our LDAP Server with TLS Support.

We use SLES12 SP1 and a self signed CA. (root Ca and Intermediate)

The LDAP Server is on Port 389 up and running.

1. I Create the certificate chain an import to the Server:
cat intermediate.cert.pem ca.cert.pem > ca-chain.cert.pem
copy the ca-chain.cert.pem to /etc/pki/trust/anchors on the Server, and with

import the ca chain.

I see boot, the root ca and the intermediate now at /etc/ssl/certs (link to /var/lib/ca-certificates/pem)

2. Step: I import the Server Certificate p12 (incl.FQDN - commonName)via Yast and Common Server Certificate - Yast: Certificate has been imported

Now I have at
a servercert.pem and a serverkex.pem file.

3. Step: Config TLS Settings via Yast at the running Server

I use the intermediate ca from
and the certificate and the key from
and finish the TLS Config.

I use "Softerra LDAP Administrator" for LDAP administration. The Connect to the the Server over 389 work fine. over 636 "no server" error

the localmessagelog fom the Server:
2016-01-31T18:31:18.208617+01:00 bis-sl-sles12-01 slapd[1134]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T18:31:18.211024+01:00 bis-sl-sles12-01 slapd[1134]: slapd starting
2016-01-31T18:32:37.689479+01:00 bis-sl-sles12-01 slapd[1054]: @(#) $OpenLDAP: slapd 2.4.41 $#012#011opensuse-buildservice@opensuse.org
2016-01-31T18:32:37.874643+01:00 bis-sl-sles12-01 slapd[1120]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T18:32:37.887186+01:00 bis-sl-sles12-01 slapd[1120]: slapd starting
2016-01-31T19:50:54.471810+01:00 bis-sl-sles12-01 slapd[1120]: conn=1007 op=0 do_extended: unsupported operation ""
2016-01-31T20:21:33.142768+01:00 bis-sl-sles12-01 slapd[1120]: daemon: shutdown requested and initiated.
2016-01-31T20:21:33.143144+01:00 bis-sl-sles12-01 slapd[1120]: slapd shutdown: waiting for 0 operations/tasks to finish
2016-01-31T20:21:33.157725+01:00 bis-sl-sles12-01 slapd[1120]: slapd stopped.
2016-01-31T20:21:33.205667+01:00 bis-sl-sles12-01 slapd[6537]: @(#) $OpenLDAP: slapd 2.4.41 $#012#011opensuse-buildservice@opensuse.org
2016-01-31T20:21:33.231214+01:00 bis-sl-sles12-01 slapd[6558]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T20:21:33.231978+01:00 bis-sl-sles12-01 slapd[6558]: slapd starting

At Yast Authentication Server Configuration
Checking LDAP connectivity to the provider failed.

"StartTLS operation failed"
"Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)"

Thats right - it is a self signed certificate installed on /etc/pki/trust/anchors

Where is my fault? What is my fault?
Thanks for your replay