Hi,
It didn't make sense to me that they had to share a CA -- what they really need is knowledge of the CA of the master. slapd looks in /opt/zimbra/conf/ca for that. To make replication work, each replica needs to have the CA for the certificate used by the master in that directory, with a hash linked to it. That resolves the issue.
Larry |