We were able to solve the issue by creating the intermediate and root certificates and including them in the keystore.
We would be very interested in migrating to ODK Central, but the lack of iOS support is, very unfortunately, a deal breaker for us. 
Maybe that will be on the future roadmap?