Hi Simo, yes, I had tried this and it was still causing the same issue. If anyone else encounters a similar problem, here is the solution that worked for me: This file: /usr/lib/python2.4/site-packages/ipaserver/replication.py Contains this line at the top: CACERT="/usr/share/ipa/html/ca.crt" When updating the dirsrv and http server NSS database certs with ipa-server-certinstall, this particular cert never gets updated. It keeps the original self-signed cert that was installed (standalone, not NSS). Backed up this file, and copied (for me, DigiCertCA2.crt) the proper CA cert to allow the verification worked finally. I had tried the full chain, the primary DigiCertCA.crt cert, etc. But the one that it wanted was the DigiCertCA2.crt certificate alone. Thanks! >> So, can someone give me some advice about where else it may be reading >> the certificate from, or how I can do things "the proper way" >> for IPA? >/etc/ipa/ca.crt is another place where the cert can be found. >but for winsync you can pass the cacert on the command line, have you tried that ? >Simo.