Ssl_client_certificate set to a certificate chain?

I fall into this situation: one root CA issued two intermediate CAs,
one for merchants and another for payment gateways. I set
ssl_client_certificate to intermediate CA of payment gateways, client
cannot verify itself. I guess it’s because ssl_client_certificate is
not set to a self-signed root CA. So, I changed that parameter to the
root CA, it works.

But, theoretically another merchant could connect to my server with
it’s certificate signed by merchants intermediate CA. How can I avoid
this? I set the parameter to a certificate chain of root CA and
payment gateways’s intermediate CA, and tried openssl s_client
-connect server:8443 , openssl says:

Acceptable client certificate CA names

I don’t know the server would accept a certificate issued by
UP_ROOT_CA and UP_CA, or issued by UP_ROOT_CA or UP_CA.

Ren Xiaolei