Oh, that issuer key hash correlates to the SKI of the leaf certificate
You need to make sure chain.pem contains only the intermediate. If it contains both the leaf and the intermediate, OpenSSL won't understand and will do the wrong thing. Just an annoying thing about the openssl CLI.