You are able to connect with ldap:// to Symantec Directory DSA, but unable to connect via ldaps://.
ldapsearch -x -H ldap://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001" (WORKS)
ldapsearch -x -H ldaps://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001" (DOES NOT WORK)
You have confirmed the certs are in good health.
When setting the trace log level to 'all', you may see:
!  Accepting call from TCP 18.104.22.1681:1111
!  GetRemoteHostName: No host name
!  Call closed 18
Release : 14.0
Component : CA Directory
Problem could be due to not setting up environment variable called LDAPTLS_CACERT that is required by 'ldapsearch' command line tool.
For Directory tools (i.e. DXtools such as dxsearch, dxmodify etc.) we document the same but the variable is called LDAPCONF as referenced here:
For LDAP tools, which is out side of Directory product, requirement is to set LDAPTLS_CACERT environment variable the same way as LDAPCONF mentioned above.
ldapsearch -x -H ldaps://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001"