I did find something unusual: the certs are served by a squid3 instance:
https_port 443 accel vhost options=NO_SSLv3:NO_SSLv2
... and the sitename_com.sslcert has a
block of text that is identical to the contents
of sitename_com.cacert file. But if I remove that extra
copy of the cacert and try to restart squid3, it complains that the
cert is invalid.
Technically the certificate chain is still valid,
since the server cert depends on a valid ("intermediate")
cacert that is provided, it's just provided twice.
Don't know why digicert thinks it was the server cert
Still, it's an anomaly on my part. I'll
resolve that and test it again before asking for a support ticket.