Wondering that myself, opened a ticket with TAC today to get the answer. I cannot tell if my PKI isnt working right, if I am not doing this right, or if it isnt supported. I got this working on SHA1 before, but the PKI infrastructure has been redone (partially) and only gives me SHA2
I'm having a similar issue. I can get secure LDAP working over port 389 using StartTLS with a SHA1 LDAP certificate for UCS Central. But it fails with a SHA2 LDAP certificate. We are using Microsoft Active Directory domain controllers as LDAP servers.
I've opened up a TAC case as well. Hoping to get an answer soon.
Update: The issue is now resolved. UCS Central supports both SHA-1 and SHA-2 certificates, so that was not the issue. The issue just happened to manifest itself when I was working with the SHA-2 trusted point.
The issue was related to a known bug in the version of UCS Central we are running (v1.3 1b) - Symbolic links not removed correctly when managing Trusted Points. Details of this issue and the workaround (manually unlink the broken symbolic links from command line) are here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy14299/?referring_site=bugquickviewredir
This issue is resolved in v1.4 (1b).