Hi @rjs
never hardcode intermediate certificates, that's a simple rule.
Browsers are tolerant, they add the chain. Other clients are critical. They may fail.
So if you have IoT you should always import the intermediate of your newly created certificate.