Users are unable to authenticate after renewal of CA certificate of domain controller

wimein

The CA certificate of our domain controller (Windows 2019) had to be renewed recently as the old certificate expired. Since then, VPN authentication is refused, although the new certificate is known on the pfSense instance (System/Certificate/Authorities). The new CA certificate is present in /etc/ssl/certs. ldapsearch executed on the command line in the pfSense instance works if "env LDAPTLS_CACERT=/path/to/ca.crt" is prepended to ldapsearch, but does not work, when LDAPTLS_CACERT is not defined (Items enclosed in <...> are redacted):

[xyz]/etc/ssl/certs: ldapsearch -d1 -W -x -b '<searchpath>' -D "<DN>" -H "ldaps://<ads.domain.net>:636"
ldap_url_parse_ext(ldaps://<ads.domain.net>:636)
ldap_create
ldap_url_parse_ext(ldaps://<ads.domain.net>:636/??base)
Enter LDAP Password: 
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <ads.domain.net>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <ipv6> 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 0, err: 20, subject: , issuer: <issuer>
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:0A000086:SSL routines::certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The same ldapsearch command works on other clients.
The pfSense version is 2.7.2.

Why does the authentication fail? Why is the CA certificate not found? What can I do to make this work?

Best regards
Winfried