I have a SSL client/server application.
My SSL client has only one root certificate authority (lets call it rootCA1) configured in its trust store.
However my ssl server produces a certificate that is signed by an intermediate CA (lets call it interCA1).
The intermediate CA has its certificate (lets call it deviceCert) signed by rootCA1 (which the client trusts). The SSL server produces the certificates of interCA1 as well as rootCA1 along with deviceCert during ssl hello.
Now openssl rejects such a connection at the client side.
Openssl should be able to establish the chain of trust by looking at deviceCert--signed by-->interCA1--signed by-->rootCA1
Since it trusts rootCA1 and the chain of trust can be seen in my understanding.
So why does it fail? why is it required to have intermediate CA's cofigured in client's trust store?