Setting up connection to WPA2 Enterprise (PEAP/MSCHAPv2) with two-level certificate

For a long time, I have been able to use NetworkManager + wpa_supplicant as configured in Debian 7 to connect to a secure wireless at work (which is WPA2 Enterprise, with PEAP + MSCHAPv2 authentication). Recently I want to increase the security of the connection by incorporating the server's certificate into my Network Manager connection setting. I received two PEM keys from the network administrator: - radius1.pem -- the RADIUS certificate - globalsign_intermediary.pem -- the intermediary certificate The RADIUS cert depends on the intermediary cert for its authenticity; and the intermediary cert depends on the ultimate root CA from GlobalSign. **Here's my goal**: I want to have my laptop check the authenticity of the wifi access point whenever I connect to the wifi network. How do I put these certs in the connection setting (/etc/NetworkManager/system-connections/THE-AP-NAME file) so that I can accomplish this goal? To be specific: which file should be listed where (e.g., what config file), and what additional steps are needed to get the server certificate(s) verified? I am asking this here since all that I found elsewhere are 1-step certificate check, in which the certificate probably depends on a well-established root CA rather than an intermediary CA like in my case. Currently this is the content of my connection setting file (XXXX and YYYY denoted obscured info): [ipv6] method=ignore [connection] id=XXXXXXXXX uuid=XXXXXXXXX type=802-11-wireless timestamp=1436377448 [802-11-wireless-security] key-mgmt=wpa-eap [802-11-wireless] ssid=XXXXXXXXX mode=infrastructure seen-bssids=XXXXXXXXX security=802-11-wireless-security [802-1x] eap=peap; identity=XXXXXXXXX password=YYYYYYYYY ca-cert=/etc/NetworkManager/certs/work/globalsign_intermediary.pem phase2-auth=mschapv2 [ipv4] method=auto As you see, I was using the intermediary cert file. But this was not right. Neither was it right to use only the RADIUS cert file. In either case, I got the following error in syslog: Jul 8 12:02:37 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started Jul 8 12:02:37 wirawan1 kernel: [3880972.051159] wlan0: Limiting TX power to 20 (20 - 0) dBm as advertised by xx:xx:xx:xx:xx Jul 8 12:02:37 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 Jul 8 12:02:37 wirawan1 wpa_supplicant: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) Jul 8 12:02:37 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected Jul 8 12:02:37 wirawan1 wpa_supplicant: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2' Jul 8 12:02:37 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2' err='unable to get local issuer certificate' Jul 8 12:02:37 wirawan1 wpa_supplicant: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA Jul 8 12:02:37 wirawan1 wpa_supplicant: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Jul 8 12:02:38 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed Jul 8 12:02:40 wirawan1 wpa_supplicant: wlan0: Authentication with xx:xx:xx:xx:xx timed out. Apparently the trust chain cannot be established. The hardware is (lspci): 03:00.0 Network controller: Intel Corporation PRO/Wireless 5100 AGN [Shiloh] Network Connection It uses iwlwifi+iwldvm driver. Kernel version 3.12.9-1~bpo70+1 (2014-02-07), from debian backport package linux-image-3.12-0.bpo.1-amd64. I am not new to Linux, but really don't know how to deal with x509 and/or SSL/TLS security in Linux, so please answer with step-by-step instruction. Googling around to find the answer to this problem has left me frustrated. The WPA supplicant documentation is very terse in discussing the use certificates in the conjunction with WPA2 Enterprise. And the NetworkManager has even poorer documentation.