I have the global sign new and old CA certs in a single file. Successful verification seems to depend on the order of the certificates in the file:
$ cat globalsign_new.pem globalsign_old.pem > test.pem
$ openssl s_client -connect bbc.co.uk:443 -CAfile test.pem
...
Verify return code: 0 (ok)
$ cat globalsign_old.pem globalsign_new.pem > test.pem
$ openssl s_client -connect bbc.co.uk:443 -CAfile test.pem
...
Verify return code: 10 (certificate has expired)
$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
It seems like it should verify against both certificates, for example
if a renewed CA cert is issued before it becomes valid.
Thanks
Tristan
globalsign_new.pem
Description: application/x509-ca-cert
globalsign_old.pem
Description: application/x509-ca-cert
