For backwards compatibility, I updated our intermediate certificates to provide the AAA Certificate Services signing https://censys.io/certificates/68b9c761219a5b1f0131784474665... to replace the expired 2nd intermediate certificate. (Modifying the "GandiStandardSSLCA2.pem" file in my case.)