Implicit trust relationship of client and server certificates

[martincorr]

Im trying to create a setup where:

• My signserver worker is certified under a private CA hierarchy.
• My signserver worker is configured for CLIENTCERT
• My signserver worker is configured with a list of user certs that are permitted to access the worker.
• My signserver instance is certified under ManagementCA a la quickstart install.
• The clients connecting to the signserver worker are certified under a publicly trusted CA hierarchy

Im using postman and loaded a client cert = one of the user certs certified under the public PKI
My client (postman) fail with authorisation failure:

Error: 649088:error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN:........\src\third_party\boringssl\src\ssl\tls_record.cc:592:SSL alert number 46

If I do not configure postman with any client certs I get this:
"error": "Authorization failed: Error, client authentication is required."

If I configure postman to use my superadmin account that I use to administer signserver (i.e. certified under ManagementCA) AND I add that cert to the authorization certs for the worker then it works,

If I remove superadmin cert from worker authorization cert list and rerun postman then I get

"error": "Authorization failed: Worker 7: Client is not authorized: "UID=c-00j5f7x7leyo8bfar,CN=SuperAdmin,O=EJBCA Container Quickstart", "5feff088e7386aa31813ebdb630ce71002a18fa8, UID=c-00j5f7x7leyo8bfar,CN=ManagementCA,O=EJBCA Container Quickstart""

Ideally I should just be able to specify a list of end user certificates for a signserver worker and signserver rest api verifies against those regardless of whether or not they are trust-related to my signserver instance web site certificate.

Or maybe this is all possible but my rig is not correctly configured.

Any ideas?