3602250 - X.509 SSO authentication fails when CA issues intermediate certificate

When X.509 certificate issued by CA includes an intermediate certificate, the SSO fails after following the Steps in Configure SSO with X.509 Authentication for SAP HANA XS Applications | SAP Help Portal. 
You can enable debug traces on section Authentication and Crypto, and found out below error in debug traces.

1. alter system alter configuration ('<service>.ini','SYSTEM') SET ('trace','crypto')='debug',('trace','authentication')='debug',('trace','commoncrypto')='debug' with reconfigure;

2. Reproduce the SSO issue.

3. alter system alter configuration ('<service>.ini','SYSTEM') unset ('trace','crypto'),('trace','authentication'),('trace','commoncrypto') with reconfigure

• Symptom 1:
  

  # --- Messages -----------
  ERROR: The chain of certificates is incomplete or untrusted, missing certificate of [<serial number>] CN=<X 509 user name>
  .......
  [00000]\{0000\}[0/-1] YYYY-MM-DD HH:MM:SS.sssss i Authentication   MethodX509Internal.cpp(00195) : unsuccessful login attempt via X509Internal! (could not validate certificate)

• Symptom 2:
  [00000]\{00000\}[0/-1] YYYY-MM-DD HH:MM:SS.sssss d Authentication   MethodX509Internal.cpp(00211) : subject=CN=<X 509 username>, issuer=<Entity of the End-Entity Certificate>
  [00000]\{00000\}[0/-1] YYYY-MM-DD HH:MM:SS.sssss d Authentication   MethodX509Internal.cpp(00217) : getX509UserMapping with Utf8 NOT successful retrying with Latin1 

• SAP HANA Platform Edition 1.0
• SAP HANA Platform Edition 2.0

KBA , HAN-DB-SEC , SAP HANA Security & User Management , HAN-STD-ADM-SEC , SAP HANA Security & User Management (Studio) , How To