Thanks again for the pointers on this i hadn't checked the CRL signing but have now however all appears to be signed by the same chain as the certificate.
Once i get this working i do intend to post the config and general things I've encountered while getting this setup.
Here is the certificates screen on the routerboard and you can follow the chain through to the addtrust root.
Here is the list of CRLS on the routerboard from the certs
Then here is each of those crls and who has signed them.
COMODORSADomainValidationSecureServerCA.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
Last Update: Jul 20 03:39:19 2018 GMT
Next Update: Jul 24 03:39:19 2018 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 CRL Number:
1693
COMODORSACertificationAuthority.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha384WithRSAEncryption
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
Last Update: Jul 19 12:48:07 2018 GMT
Next Update: Jul 23 12:48:07 2018 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
X509v3 CRL Number:
3211
AddTrustExternalCARoot.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Last Update: Jul 19 12:48:07 2018 GMT
Next Update: Jul 23 12:48:07 2018 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
X509v3 CRL Number:
4944