I decided to drop this idea, because from what I found nginx and Apache are not able to use certificate in the middle of the chain as CA to authenticate clients. In case anyone wonders, I ended up using same self-signed CA and same client certificate, only I pinned its fingerprint for the site when I planned to use admin-ca.cer certificate.