pfSense

I am using pfSense and OpenVPN with a few intermediate CAs to seperate VPN servers by project:

CA1 (our own CA, self signed, imported to pfSense without private key))
  |
  -- CA2 (intermediate CA, created externally and imported to pfSense including private key)
       |
       -- CA3 (intermediate CA for Project1, created internally and signed using CA2)
       |    |
       |    -- server1 (server cert for VPN server)
       |    |
       |    -- user1 (user cert)
       |
       -- CA4 (intermediate CA for Project2, created internally and signed using CA2)

etc. etc.

If I configure the VPN-server for Project 1 to use CA1 as a Peer Certificate Authority, everything works nicely. However I don't want to do that of course, because I want to be able to seperate the servers for every project and only allow clients onto a project VPN that were signed by the intermediate project CA. If I set it to use CA3 as a Peer Certificate Authority, it can't verify the user cert and fails with:

VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=DE, ST=NRW, L=town, O=corp, emailAddress=xxx@bla, CN=CA3, OU=bla 

The user cert in question is generated internally. It is signed by CA3 according to the GUI and, when I decode it using openssl, it has CA3 as the Issuer and CA2 as the Authority Key Identifier.