We should try and be more verbose when it comes to PKIX path validation. Include more information in debug logs where possible.
Here's a recent example I worked on :
certpath: X509CertSelector.match(SN: xxx1a8ae
Issuer: OU=xxxxx CA,OU=Certification Authorities,OU=xxxxx,O=xxxx,C=US
Subject: OU=xxx CA4,OU=Certification Authorities,OU=xxxxx,O=xxxx,C=US)
certpath: X509CertSelector.match: subject key IDs don't match
Print the SKIDs! there are other examples in X509CertSelector also where we can print IDs to debug logs.