When the CSR contains an email address and the email_in_dn setting in the config file is set to "no" the email address is actually present in the issuer DN but not in the subject DN. This causes errors when verifying certificate chains since the subject hash is used to identify a cert but the issuer hash is different. A dirty workaround is to 1) link the subject hash to the cert file and additionally 2) link the issuer hash to the same cert file