FWIW, I had the same experience using FreeRADIUS 3.2.3 on Ubuntu 22.04. EAP-TLS authentication would always fail when using the configuration reject_unknown_intermediate_ca = yes When the server ran in debug mode it would print something like Warning: Certificate chain - 1 cert(s) untrusted Warning: (TLS) untrusted certificate with depth [1] subject name /CN=IntermediateCA Warning: (TLS) untrusted certificate with depth [0] subject name /CN=Client Auth: tls: There are untrusted certificates in the certificate chain. Rejecting. The server debug output will print all the certificates in the chain that the client provides. Removing the Intermediate CA from the server could change the output to Warning: Certificate chain - 2 cert(s) untrusted but there was always at least 1 cert(s) untrusted. My suspicion is that the Intermediate is not causing the problem. I suspect the call to X509_STORE_CTX_get0_untrusted returns the leaf certificate that the client provided as untrusted. I did not understand the code well enough to confirm my suspicion.