FWIW I just got bit by this same thing, spending half a day yesterday kicking the wall. I think I got about 2/3 of the way just by trial and error on the cert's.
Would love to see this doc'd with the proper method, using an in-house local CA (not a public CA).