Make openssl list root CA certificate

I want openssl to list entire cert chain, including root CA, when executing:

openssl s_client -showcerts -connect host:443

However, this is not the case. Depth 2 cert root CA cert is not included:

openssl s_client -showcerts -connect www.google.com:443 CONNECTED(00000005) depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com i:/C=US/O=Google Trust Services/CN=GTS CA 1O1 -----BEGIN CERTIFICATE----- MIIFkzCCBHugAwIBAgIQP1H8lc2ARYwDAAAAALrahTANBgkqhkiG9w0BAQsFADBC MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw EQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTIwMTExMDE0MjgwOVoXDTIxMDIwMjE0Mjgw OFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFzAVBgNVBAMTDnd3 dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvnPJ VeaTK7pGoNtG1rGNLHR2y2aYUXJx5+mHCUQsn0+hsEb1VXJQtbI61Zs8HEH3kGmd PD3opQoH5wY9uBadLMsGXtfSeuFCIJThLgz8SCTOr7Q/BDJqZ37HaibQfYu8upcR Mvd/Gp5udJAy2uFlQ5o5vCf0ySAPXrN1fmhh1z6pIXJa0pLmG/rysSMAJZbVOF0J nEfJ1/HTGiPzzNON37DHvWc1t13tFuc3xiIsWQrEkOoknhLAiZvle0R9CNB2vawd aQmRXLHRi+1BJRLvgCDgdM/wMdLwDUHCPf08B3WC7O2W3yxu8Tu3AWC7g1LY0XRb 24qAW+8e7VzPmfRvBQIDAQABo4ICXTCCAlkwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBvBctGy1itS cOPrDhxR3cCF31OaMB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGgG CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAYYfaHR0cDovL29jc3AucGtpLmdvb2cv Z3RzMW8xY29yZTArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RT MU8xLmNydDAZBgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTAhBgNVHSAEGjAYMAgG BmeBDAECAjAMBgorBgEEAdZ5AgUDMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9j cmwucGtpLmdvb2cvR1RTMU8xY29yZS5jcmwwggEFBgorBgEEAdZ5AgQCBIH2BIHz APEAdwD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXWyxYQuAAAE AwBIMEYCIQCH6zkFy7ML4LOs6uXxQGdAY+ggd/MPz46av190Df4z0wIhALdmziRv LtcrwcWa7apMJbfNVtRQiD0kRp9oQAx5+4t1AHYAlCC8Ho7VjWyIcx+CiyIsDdHa TV5sT5Q9YdtOL1hNosIAAAF1ssWEfQAABAMARzBFAiEAiUjUL8/6cpQJ8p9tWUE5 Sib0yQLYp7Y2v+ocLCapxJACIHWcToQ7NTrnJW2uAqpyruoGppLPou6D4eugtC9/ 8FmhMA0GCSqGSIb3DQEBCwUAA4IBAQC2rVWLbSjwz3yIghOQGgHt0WPN8HjPbUoU m6qqsrpqgIGg6ZpHRqO+Qym5yWTgabpCQ+5Mi/Q+FwJlqLd49UydB2xSndiuHPxj aYanphIHLhx4NqFmNiktg+ZY7d5ARz0sVBkom2mc9WHnpPJQPWhXdBL0OgY7r+Ik Y3NkRocsigeyyjHyE9VL6WTmRV64/ehih/pQCJBeb69yU0FkkWJ9EwwaN7Z0rSHd 4hdCTGfl1Lg34Nl5e6IoOTrOLh5uFHdJAiAdXWeDDLfYlgpUAhtf+pWYTWyKGhg0 2haxV9AoHZKY3KTd4tb6OC/O+6g0GauNoiOt55Os0pnKk5i0gZ0r -----END CERTIFICATE----- 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign -----BEGIN CERTIFICATE----- MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy MTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg U2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv UA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr mBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++Ac xGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmK FsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7X rJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV HQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G A1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl BggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0g BDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9y ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7H TgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN FvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz mqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg== -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1 --- No client certificate CA names sent Server Temp Key: ECDH, X25519, 253 bits --- SSL handshake has read 3208 bytes and written 281 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: BDC10F2FDB072D68E18A32B3BFE025D874AB08C97C11D2FA9D7105010CFE44A5 Session-ID-ctx: Master-Key: 2A041A3C5386A91E9088D17502FE33DFE7794A688D205CCBFE5AEF86B1E6E3AD43580C28FD024BE8007F2A9CC9377B6D TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 01 bc 94 57 98 22 79 55-e5 74 07 e4 15 9d cb 21 ...W."yU.t.....! 0010 - 31 6b e0 cb 69 f5 83 08-93 80 b1 88 fd 3e a9 3f 1k..i........>.? 0020 - 22 c0 e3 1d f8 7b de 93-56 08 20 94 38 64 a3 58 "....{..V. .8d.X 0030 - b2 a9 49 a4 20 9f 0f 14-b2 58 1d 47 ae ca de 9a ..I. ....X.G.... 0040 - fe 72 0e 84 ad eb 14 8b-c3 2b fd 29 df da 8a 4c .r.......+.)...L 0050 - 53 21 1d 69 5c b6 5e 22-5a e7 ba c4 e0 65 7a b7 S!.i\.^"Z....ez. 0060 - 39 d5 52 b4 19 40 16 72-eb 2e 88 03 8d 25 d7 0d [email protected].....%.. 0070 - 83 ac 13 9e ad 49 33 56-5c 74 e3 22 af af 69 d3 .....I3V\t."..i. 0080 - fc 4b fe 40 57 44 94 e4-df 8c db 0f 9b 42 a7 1a [email protected].. 0090 - 4c 2d 1e c3 28 0d 41 78-ff b7 55 1c fb 02 59 b2 L-..(.Ax..U...Y. 00a0 - 10 8f 44 b9 c2 4a ec 59-ef 6b 89 e0 15 b9 db 63 ..D..J.Y.k.....c 00b0 - df 78 da 4e 0f 69 d7 c9-13 b5 0c 8f a4 67 65 17 .x.N.i.......ge. 00c0 - f9 74 41 ae 6a da a5 22-b5 1c 7f 46 0d b0 64 74 .tA.j.."...F..dt 00d0 - d8 40 f2 c0 46 e6 7c 71-d9 bf b8 91 75 [email protected].|q....u Start Time: 1608578092 Timeout : 7200 (sec) Verify return code: 0 (ok) --- 

Quick investigation reveals why this might be the case. 04:00:00:00:00:01:0F:86:26:E6:0D is the serial number of the www.google.com cert chain root CA cert I can see when I inspect it in the browser:

openssl version -a LibreSSL 2.8.3 built on: date not available platform: information not available options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: information not available OPENSSLDIR: "/private/etc/ssl" ls -lR /private/etc/ssl total 696 -rw-r--r-- 1 irek staff 346545 Dec 21 20:08 cert.pem drwxr-xr-x 2 root wheel 64 Sep 9 2019 certs -rw-r--r-- 1 root wheel 745 Sep 9 2019 openssl.cnf -rw-r--r-- 1 root wheel 1006 Sep 9 2019 x509v3.cnf /private/etc/ssl/certs: cat /private/etc/ssl/cert.pem | grep -i '04:00:00:00:00:01:0F:86:26:E6:0D' 04:00:00:00:00:01:0f:86:26:e6:0d 

Up until now it could make sense. However, when I:

• delete this certificate from /private/etc/ssl/cert.pem,
• or specify CApath without this cert,
• or specify CAfile without this cert, nothing changes - the depth 2 root CA cert is not listed anyway.

I either made an incorrect assumption that I can get openssl to include top-level cert in cert chain with -showcerts, or I'm misinterpreting the role of CApath / CAfile, or I'm making a simple mistake somewhere.