When attempting to use a chained certificate with one or more intermediate certificates, Advanced Threat Protection (ATP) only utilizes the server certificate. This results in web browsers not trusting the ATP website or Endpoint Protection (SEP) clients failing to trust ATP for Insight lookups.
ATP 2.0 does not have the ability to import certificate chains. ATP 2.0 will only utilize the server certificate.
This issue is resolved with ATP 3.0.
For ATP 2.0, if you need to use a certificate with one or more intermediate certficates, you will need to add the intermediate certificate(s) manually to all of the clients or deploy them via Group Policy (GPO). See the following Microsoft technet article for deploying certificates via GPO.