Hrmmm ... taking a look at the nsd.tcl file, there are three lines commented out per "SSL section":
#ns_param ServerCADir ca
#ns_param ServerCAFile ca.pem
#ns_param ServerTrace false
#ns_param SockServerCADir internal_ca
#ns_param SockServerCAFile internal_ca.pem
#ns_param SockServerTrace false
#ns_param SockClientCADir ca
#ns_param SockClientCAFile ca.pem
#ns_param SockClientTrace false
Now, for what we're looking at here, I'm suspecting that the first 3 are potentially critical? But what should they be set to? And, could this be the cause?