I have the global sign new and old CA certs in a single file. Successful verification seems to depend on the order of the certificates in the file:
$ cat globalsign_new.pem globalsign_old.pem > test.pem $ openssl s_client -connect bbc.co.uk:443 -CAfile test.pem ... Verify return code: 0 (ok) $ cat globalsign_old.pem globalsign_new.pem > test.pem $ openssl s_client -connect bbc.co.uk:443 -CAfile test.pem ... Verify return code: 10 (certificate has expired) $ openssl version OpenSSL 1.0.1f 6 Jan 2014 It seems like it should verify against both certificates, for example if a renewed CA cert is issued before it becomes valid. Thanks Tristan
globalsign_new.pem
Description: application/x509-ca-cert
globalsign_old.pem
Description: application/x509-ca-cert