Understanding the output of openssl s_client

ssl-certificate openssl

The answer (as explained in this security.SE post) is that the two GeoTrust Global CA certificate you see in the chain are in fact not the same certificate, one is derived from the other.

Because of CA Cross-signing!

When the GeoTrust Global CA certificate was first created and signed, no computer/browsers/applications would have had it in their trust store.

By having another CA (with a pre-existing reputation and distribution) sign the GeoTrust root CA cert, the resulting certificate (referred to as a "bridge" certificate) can now be verified by the second CA, without the GeoTrust root CA certificate having to be trusted by the client explicitly.

When Google presents the Cross-signed version of the GeoTrust root CA cert, a client that doesn't trust the original can just use the Equifax CA cert to verify GeoTrust - so Equifax acts as a kind of "legacy" trust anchor.

Related

How can I make a linux samba server to announce itself on the local LAN via Bonjour to Mac clients?
How to SSH directly to target via jumphost using SSH Config without additional ssh command
Linux ssh: allow public-key authentication without giving user read rights to private key
Apache MPMs - Worker vs Prefork
SCP filename tab completion
Install PHP7 from Remi repo
How can I permanently set ulimit -n 8192 in Centos 7?
Strongswan vpn tunnel connected but the traffic is not routed through it
nginx passing back custom header
Set up sftp to use password but ssh not to use password
Distribution of root certificate with Windows AD Certificate Services
Booting a native Windows install in Virtualbox: is it possible? [closed]