You can enable SSL debug logging for ssoadm as described in FAQ: SSL certificate management in DS 5.x or 6.x. You can see errors similar to the following in the DS server.out log: Initialized: [Session-7, SSL_NULL_WITH_NULL] LDAPS 0.0.0 port 40636(2) SelectorRunner, SEND TLSv1.2 ALERT: Fatal, description = handshake_failure. Using SSLEngineImpl: Allow unsafe renegotiation: false 1321 Allow legacy hello messages: true 1323 Is initial handshake: true.”]
Source: https://backstage.forgerock.com/knowledge/kb/article/a39099709

