That isn't an issue, that is Claude not understanding the whole enrollment process and how the PKI is managed. AI LLMs aren't good at system wide scope and context if you don't feed them properly via a prompt or pre-configured architecture or a persona with specific implementation knowledge.
Routers and SDKs that enroll receive a full chain up to but not including the root. The client supplied chain is used as potential links to a trust anchor. In that scenario, the root trust anchor chain will be returned even if the signing controller's intermediate isn't a trust anchor. So what it is saying isn't the issue.
We have a long standing issue to remove that behavior as well, the intermediate signer in the CA pool, but legacy systems and older enrolled clients will start to fail due to a old bug present in 1.3 (I think) that would carry forward for non-HA systems. We added facilities to OpenZiti for systems operators to identify which identities need to either re-enroll or upgrade to an SDK that will auto-refresh its certificates to avoid that situation. Going to HA requires identities to not be in that bugged state.
But saying that, are you using a really old identity? And if so can you send me the identity file w/o private key.