Openvpn – openssl invalid CA certificate

I'm setting up server-to-server OpenVPN with a PKI infrastructure, and cannot make it work. I suspect it's something in the certificate chain, but I'm at a loss to explain how. I have an offline Root CA, and a certificate hierarchy. The CA's are managed externally by a product called EJBCA. Pictorially the chain looks like this (with names changed):

RootCA -> OnlineSubCA -> SubCA1 -> VPNCA

I signed a server and client cert with the CA VPNCA, and have the certificate chain on those systems. While debugging OpenVPN I tried using "openssl s_server" and s_client", leading me to believe it's the CA chain. Specifically on the server:

openssl s_server -cert server.cert -key server.key -CAfile chained.pem -verify 5

and on the client

openssl s_client -cert client.cert -key client.key -CAfile chained.pem -verify 5

the server spits back, among other things:

depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify error:num=24:invalid CA certificate
verify return:1
depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify error:num=26:unsupported certificate purpose
verify return:1
depth=4 C = CA, O = My Company, CN = RootCA, emailAddress = certs@mycompany.com
verify return:1
depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify return:1
depth=2 CN = SubCA1, O = My Company, C = CA
verify return:1
depth=1 CN = VPNCA
verify return:1
depth=0 C = CA, ST = , L = , O = My Company, OU = , CN = client1.mycompany.com, emailAddress = pki@mycompany.com
verify return:1

and i'm at a complete loss to explain how or why this is the case. OpenVPN also fails with a similar error, from the client:

VERIFY ERROR: depth=3, error=invalid CA certificate: /C=CA/O=My_Company/CN=OnlineSubCA

I'm running OpenVPN 2.2.1 and OpenSSL 1.0.1 on Ubuntu 12.04. Time is in sync on both.

I'm at a loss on how to proceed any further. Any ideas/suggestions would be greatly appreciated.