Most of the times, the problem is the intermediate cert missing a required RFC value for
"Authority Key Identifier" field. Without this field in the intermediate cert you won't be able to use this cert on the CSM-S. Turns out we've seen a few cases with this and there's no way this will work. The fix is to get the CA to re-issue you a cert that has this fixed.