Yes, it was Oracle's. The problem was on the Salesforce side (as a client). They couldn't verify the chain up to the CA because it is not included in the CA bundle. Adding something on the server side doesn't help here.