see discussion here: https://github.com/OPCFoundation/UA-.NETStandard/issues/2020

After updating the app cert with a signed cert of of the GDS, the GDS does not AutoAccept the connection, because of the BadCertificateChaininvalid error.
The GDS did not know its own CA issuer certs.

Fix:
I) Solution in .NET stack is to set SendCertificateChain=true
ii) in GDS copy CA certs to Issuer store to complete the chain

comment Randy:

The GDS should have a knowledge of all CAs its uses to issue Certificates.
If it rejects a certificate it just issued then the GDS is broken (it only needs to be in the issuer store – the CA does not need to be trusted, just known).

I agree this needs a mantis issue in Part 12.
It can be a mandatory requirement since it results in really annoying IOP problems.

Regards,
Randy