I am attempting to set up external LDAPS authentication against one of my AD domain controllers. LDAP (no SSL) works fine, but LDAPS gives me trouble. I first encountered an untrusted certificate error, but that was resolved by adding the CA certificate to the Java keystore. However, now I am getting another error...

Code:
javax.naming.CommunicationException: simple bind failed: mydc.my.domain:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment]
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:195)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720)
	at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:296)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
	at javax.naming.InitialContext.init(InitialContext.java:223)
	at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
	at com.zimbra.cs.account.ldap.ZimbraLdapContext.ldapAuthenticate(ZimbraLdapContext.java:622)
	at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthenticate(LdapUtil.java:94)
	at com.zimbra.cs.account.ldap.Check.checkAuthConfig(Check.java:177)
	at com.zimbra.cs.service.admin.CheckAuthConfig.handle(CheckAuthConfig.java:45)
	at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:412)
	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:287)
	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:158)
	at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:303)
	at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:217)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
	at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:206)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:814)
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
	at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:79)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
	at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
	at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:218)
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:422)
	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
	at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
	at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
	at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
	at org.mortbay.jetty.Server.handle(Server.java:326)
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:585)
	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:988)
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:415)
	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:429)
	at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:400)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:373)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:332)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:190)
	... 49 more
Caused by: sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment
	at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:247)
	at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:124)
	at sun.security.validator.Validator.validate(Validator.java:221)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
	... 62 more
I'm not sure which machine is getting hung up on key encipherment. I tried reissuing the certificate for my DC to include key encipherment, but that made no difference. The only error I am getting on my Windows server (even with schannel logging cranked up all the way) is Schannel alert 46, which seems to be where Windows throws its hands up in confusion and says "I dunno". (RFC 5246 specifies error 46 as "certificate_unknown Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.")

Do I need another certificate for my Zimbra server? LDAPS does not require a certificate for the client, but if it would help I can -- as long as someone tells me where I need to add the LDAPS client certificate. (Java keystore again?)

Thanks for any help you can provide.