It turned out not to be an openssl issue, but a problem in our mail client
(outlook).
The mail was indeed modified: the mail was delivered with an application/pdf
attachment into the mailbox, but the client only sees an empty attachment.
Probably a Virusscanner removed it, we have to check, but
Probably really damaged in transit. The empty attachment should not be empty
too.
But the CA chain is complete and correct: there is a CA certificate present
with required
AKI 44:6A:95:67:55:79:11:4F and
SKI 41:91:69:1C:BF:AD:D8:98
Specifying the root CA in -CAfile must (and normally really
