Topic: Order of certificate in chain
I am working on the server side of a system that uses WolfSSL on the client. Another engineer is building the client. We have a 3-cert chain, A->B->C where A is the root, B the intermediate, and C the server cert. The root cert A.pem is installed on the client device. My server (AWS Elastic Load Balancer or ELB) sends the certificate C.pem followed by B.pem in accordance with RFC 4346/8446
certificate_list
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority may optionally be omitted from the chain,
under the assumption that the remote end must already possess it
in order to validate it in any case.
I am told that WolfSSL cannot verify this chain because it must receive B.pem before C.pem. My question is: why is that? Is there a configuration in WolfSSL that can accomodate C.pem before B.pem? ELB has not way (at least I can't find it) for me to tell it to send B.pem before C.pem.
TIA.