Using ST4 with rtcsdk I am doing the following in setup:

//trying this but doesn't seem to make any difference
  smSimpleTLSInternalServer1.LoadTrustedCertsFromFile(PFXpath+'chain.p7b');
  smSimpleTLSInternalServer1.LoadRootCertsFromFile(PFXpath+'chain.p7b');
  smSimpleTLSInternalServer1.LoadMyCertsFromFile(PFXpath+'chain.p7b');

//included based on https://support.streamsec.net/forum/?cmd=viewtopic&topic_id=18§ion_id=3&sid=
//doesn't seem to make an difference
  smSimpleTLSInternalServer1.IncludeRootInTLSChain := False;
  smSimpleTLSInternalServer1.LocalExplicitTrustByDefault := true;

  PW:=TSecretKey.CreateBMPStr('',0);
  smSimpleTLSInternalServer1.ImportFromPFX(global.APP_PATH+'ServerLE.pfx',PW);
  smSimpleTLSInternalServer1.TLSSetupServer;
  
The above works and browsers will respond over TLS, but the intermediate certificate is not loaded and so analysis tools report an incomplete chain, eg: https://www.ssllabs.com/ssltest/analyze.html?d=report.ccpsagency.com.au

Some firewall products are blocking the site over this issue.

I will provide the pfx and password by email but I am confident that it contains the intermediate.   Can you advise?

thanks, Bryn

1. The chain that is sent by the server during a TLS handshake, will only fetch certificates from the MyCerts and RootCerts internal stores. Hence, for this purpose you should use the LoadRootCertsFromFile method.

NOTE 1: The TrustedCerts internal store only has a purpose when verifying certificates (e.g. when a client verifies the certificate sent by the server). You should remove the call to LoadTrustedCertsFromFile.

NOTE 2: Unfortunately, a file named chain.p7b might in some cases include the end entity certificate, as well as all issuer certificates. It is not ideal to add end entity certificates to the RootCerts internal store; if it can be avoided, it should be avoided; but if you have control over the private key of the end entity certificate, and won't use it for anything but TLS server authentication, there shouldn't be any harm done.

2. The smSimpleTLSInternalServer1 component has an event that might provide additional information: OnCertNotAccepted. Implement this. If some certificate in the p7b file is not added, except when due to a run time exception, the OnCertNotAccepted event will be called by the LoadRootCertsFromFile method. Note that the OnCertNotTrusted might also be called by the LoadRootCertsFromFile method, but this might be ignored, since all certificates that are loaded this way will eventually be added with explicit trust.

If you find out that OnCertNotAccepted is called when you do the above, or that a (possibly silent) run time exception is raised, send the chain.p7b file to me by email, and I will have a look.

I have made the change to only call LoadRootCertsFromFile:
  //smSimpleTLSInternalServer1.LoadTrustedCertsFromFile(PFXpath+'chain.p7b');
  smSimpleTLSInternalServer1.LoadRootCertsFromFile(PFXpath+'chain.p7b');
  //smSimpleTLSInternalServer1.LoadMyCertsFromFile(PFXpath+'chain.p7b');

The issue remains - analysis sites report that intermediate is not loaded

The only reason I can see why the component wouldn't load the intermediate CA, would be if it is the wrong CA certificate for the end entity server certificate, and that doesn't strike me as a likely explanation in this case. Could you try switching IncludeRootInTLSChain to true? Or send me the PFX and password, and I will experiment. If it is an Let's Encrypt certificate, you could always generate a new one for production.

Changing IncludeRootInTLSChain= true seems to fix it.

I had set it to false because of the earlier post. My guess is that IncludeRootInTLSChain=false causes the last cert in the chain to be dropped. In this case that is the intermediate.