After installing an application with a certificate one should verify if this was well done. For example for a mail gateway - running SMTP on port 25 - this is typically done with the following command

echo QUIT |  openssl s_client -connect mail.gateway.domain:25 -starttls smtp

If everything is fine you get lines like this ( as an example )

CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify return:1
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
verify return:1
depth=0 /CN=mail.gateway.domain
verify return:1

… and many other lines. Return code “1” means success.

But not so with macOS ( In my case version 10.12.1 ) Trying the same it could be a result like this

CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

or this

CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0

Return code “0” says there is an error.

The issue is “openssl” doesn’t know where the root certificates are located in the file system. To overcome this problem “openssl” has the option

-CApath /path/to/certs

This is in most UNIX systems “/etc/ssl/certs”

Unfortunately macOS doesn’t have it. The certificates are stored in key-chains. You can find all of them if you open the “Keychain Access” application. If you select “System Roots” and “Certificates” you can find all of them. But “openssl” doesn’t use this.

One solution could be to export the certificates with the “Keychain Access” application. But this is a very painful work. Another solution could be to copy all these files from another UNIX / Linux / Solaris system to any directory of your choice and run “openssl” with the “-CApath” option. This is the approach I used.