openssl verify has an -untrusted option to specify a chain of intermediate certificates that stand between
-CAfile or -CApath optionDoes anyone know how we specify the intermediate cert chain for the openssl s_client and the openssl s_server commands? The man pages do not say anything about it unfortunately.
It seems that if the intermediate chain is included in the file passed to the -cert option together with the client or server certificate, it does not work, only the first certificate is read from that file.
Meta: this isn't really a programming or development question. It might belong instead on superuser or maybe security.SX.
For OpenSSL versions 1.1.0 (released 2016-08) up, you can provide the (exact) intermediate/chain cert(s) in a file using -cert_chain and/or you can specify -build_chain and use -chainCAfile and/or -chainCApath from which the needed cert(s) are selected, similar to the way -CAfile and -CApath are traditionally used. However, these aren't documented in 1.1.0, only 1.1.1 (2018-09); see those man pages if you have them installed, or on the web for s_client and s_server.
For lower versions, you need a kludge: -CAfile and -CApath which nominally supply the truststore for verifying the peer cert are also used (implicitly) to complete your own (self) chain. Note non-root CA certs in the truststore are used to build chains both for sending and verification (receiving), but not as verification anchors in these versions, so including them never changes what peer certs are actually accepted as valid. (In 1.1.0 and 1.1.1 they still are not anchors by default, but are if you specify -partial_chain.)