and further checking reveals that we may not be generating valid
sslclient certs with the 2nd CA (we're trying to be very specific about
the extended attributes enabled for certs under the 2nd CA, and may have
not enabled digital signatures, which appear to be required for clients).
Assume it works if you don't hear from me again about this :-).