Hi Ben,
Thanks for your explanation, I think I understood it.
But there is something which is confusing. I created this thread because of an issue with a specific external server. Now after your explanations I looked it up in the private keys and I can see the whole chain from the server cert to the root ca. But this root ca is not the same like the one I have to trust for opening a connection. So we have the following minimally required certs for the mentioned external server:
Private Keys: client key (with cert chain to QuoVadis Global SSL --> QuoVadis Root CA)
Certificates: Intermediate cert (Symantec Class 3 Secure Server CA - G4)
So against your statement, these two chains are not the same (is this a special case?).
I also tested the chain by executing a openssl s_client -connect <ip:port> -showcerts and I can see the whole chain in this query (server cert, intermediate cert Symantec, Root cert Symantec) so the external server should send the symantec root ca to me and as far as I understand, it should be enough to only trust the root ca in this case. Is this correct?
Kind regards,
Andreas