Centrify "ldapsearch" cannot seem to find local CA Certificate location

Hi,

I'm new to Centrify and hope a Guru might be able to help me....

I've setup a CentOS 7.2 a bunch of machines with CentrifyExpress have setup a Microsoft 2012 R2 Active Directory Pair and have purchased and installed Public Certificates into both my AD machines....

I've joined the AD Domain on each of my CentOS 7.2 machines using (this is an extract from a script):

adjoin -u $ADJOIN_USER -p $ADJOIN_PASSWORD -c $AWS_CLIENT_DS_OU -w $AWS_DOMAIN_NAME --prewin2k $PREWIN2K_HOSTNAME

The Centrify "adjoin" command on all my CentOS 7.2 machines shows they have successfully joined the AD (and I can see my Microsoft 2012 R2 Active Directory domain controllers listed as "connected").

Now....I'm trying to do an "ldapsearch" using the following CentrifyExpress command:

[root@machine]#   /usr/share/centrifydc/bin/ldapsearch -d1 -v -LLL -H ldaps://{my-domain-controller-1}.{my-domain.com}:636 -b ou={level-4},ou={level-3},ou={level-2},ou={level-1} -x -D {username}@{my-domain.com} -w {my-password} userPrincipalName={username}@{my-domain.com}

But it fails with an error "TLS certificate verification: Error, unable to get local issuer certificate" (see below).

Can someone confirm if this is an issue with not having put the Public Certificate on each local machine ?

If so, are there centrify instructions on how/where I might need to put the certificate ?

Paged Search is enabled by default: PageSize=100/Prompt=No.
ldap_url_parse_ext(ldaps://{my-domain-controller-1}.{my-domain.com}:636)
ldap_initialize( ldaps://{my-domain-controller-1}.{my-domain.com}:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://{my-domain-controller-1}.{my-domain.com}:636/??base)
centrifydc_url_parse: Failed to find target service for domain{my-domain-controller-1}.{my-domain.com}, assuming this is the actual server name.
ldap_url_parse_ext(ldaps://{my-domain-controller-1}.{my-domain.com}:636/??base)
Using NETWORK TIMEOUT value: 15 sec
Using API TIMEOUT value: 15 sec
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP{my-domain-controller-1}.{my-domain.com}:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.X.Y.Z:636
ldap_pvt_connect: fd: 3 tm: 15 async: 0
ldap_ndelay_on: 3
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 3 tm: 15
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_pvt_connect: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 20, subject: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Thanks,

Damion.