I'm trying to set up openldapĀ  + pam + sssd and everything seems to be working except sssd is not able to use TLS to communicate with my ldap server.
When I use ldap_auth_disable_tls_never_use_in_production=True, everything works.

Here are the relevant log messages:
(Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_sys_connect_done] (0x0100): Executing START TLS
(Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null)
(Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [TLS error -8157:Certificate extension not found.]

There's not much to be found on google, except this promising RHKB entry that requires a subscription to see the solution. https://access.redhat.com/solutions/185883

Can someone tell me what this error is supposed to be telling me about what's wrong with my certificate?