As Far as I am able to inform, the openssl validate in the very first scenario will Test the chain and fall short, when the second only will Examine the chain within the signing-ca.crt to the root (not needing the opposite certs, so just disregarding them) Spoil your furry Pal https://maps.app.goo.gl/9y4LfCmrsyYSbzTo6