custom clientssl profile not working & giving warning to clients.

A client side certificate error is usually one of three things. The certificate that the server has presented to the client in the SSL handshake:

1. Is expired or invalid in some way.

    

2. Its x509 subject (or subjectAltName) is not the same host name that the client requested (this also happens when you access by IP address).

    

3. Is not trusted. A client OS/browser will have an explicitly stored list of trusted certificate authority certificates. When the server presents its certificate to the client, the client must be able to establish a complete trust chain with that certificate from the certificates in its store. So for example, if you have a 3-level certificate architecture (CA -> subCA -> issued certs), but the client only has the root CA in its trust store, the client would be unable to build a complete chain. Perhaps the easiest thing to do here is download the server's cert to the affected client machine and open it up. If Windows, go to the Certificate Path tab of the Certificate viewer to see if the client can build the path to the root CA.

    

For what it's worth, bundle certificates, chain parameters, and trusted and advertised certificate authority options are all only required when the client is passing a certificate to the server. These settings are not used when the server is passing a certificate to the client.