OpenSSL: Verifying a certificate against a CRL returning "unable to get issuer certificate" on OS X 10.11.6 El Capitan

Question

I am using following script to verify the certificate against crl on OS X 10.11.6 El Capitan.

host=wikipedia.org
port=443

openssl s_client -connect $host:$port 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > $host.pem

crlurl=$(openssl x509 -noout -text -in $host.pem | grep -A 4 'X509v3 CRL Distribution Points' | grep URI |  grep -Eo '(http|https)://[^"]+')

curl $crlurl -o $host.crl.der

openssl crl -inform DER -in $host.crl.der -outform PEM -out $host.crl.pem

OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect "$host":"$port" -showcerts -tlsextdebug -tls1 2>&1 </dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | sed 's/-----BEGIN/:-----BEGIN/g'); for certificate in ${certificates#:}; do echo $certificate | tee -a $host.chain.pem ; done; IFS=$OLDIFS

cat $host.chain.pem $host.crl.pem > $host.crl_chain.pem

openssl verify -crl_check -CAfile $host.crl_chain.pem $host.pem

It is working fine on ubuntu but throwing following error when trying to run on OS X 10.11.6 El Capitan.

wikipedia.org.pem: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
error 2 at 1 depth lookup:unable to get issuer certificate

Connecting wikipedia.org with s_client returns :

Verify return code: 20 (unable to get local issuer certificate)

Answer 1

The CA issuer of wikipedia.org is present in truststore i.e cacerts.pem in your ubuntu which are mostly located in

lib/security/cacerts    

& is absent in your OS X 10.11.6 El Capitan. truststore

$(/usr/libexec/java_home)/jre/lib/security/cacerts

Use following command to view SSL certificate chain & try appending root CA of wikipedia.org to your mac truststore

openssl s_client -showcerts -servername wikipedia.org -connect wikipedia.org:443