Requirements for client authentication certificates?

[grant.b...@gmail.com]

I'm using Open62541 1.1 with mbedtls and allow client authentication using certificates.

This has worked fine for a couple years, but I am no longer able to generate certificates that work. I always get the following error:

Verifying the certificate failed with error: The certificate is not correctly signed by the trusted CA

info/network  Connection 25 | Processing the message failed with error BadCertificateUntrusted

According to "openssl verify" the certificate presented by the client is properly signed by one of the CA certificates in the OPC UA server's trusted list.

How does one troubleshoot certificate validation failures?

Where can I find documentation on the requirements for the client authentication certificates?