After updating one of the backend web server SSL certificates, the following error began appearing in the Access Gateway Web Agent trace logs:
[Noodle::doGet][javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed at sun.security.ssl.Alert.createSSLException(Alert.java:131)]

Access Gateway 12.9 and higher

Access Gateway's certificate bundle used for backend connections had not been updated with the certificate authority (CA) chain certificates

Add the needed certificate authority certificates to the /secure-proxy/SSL/certs/ca-bundle.cert file and restart Access Gateway (on Windows, only the CA Access Gateway Engine service needs to be restarted - the CA Access Gateway Proxy service (Apache) does not need to be restarted).

Certs should be added in PEM/BASE64 format.  Note that comments can be added to the file anywhere outside the BEGIN/END CERTIFICATE tags (no special character is needed - all lines outside the tags are comments).

Note that on Access Gateway hosts with multiple Access Gateway instances that the path to this file will have an additional folder in the path with the instance name:
/secure-proxy/<instance_name>/SSL/certs/

The same root case can cause different error messages to be written to the web agent trace log.  Here is one example:
[PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]