Comment 18 for bug 1919563

Yeah, sure...

As per man page:

  -partial_chain
           Allow verification to succeed even if a complete chain cannot be built to a self-signed trust-anchor,
           provided it is possible to construct a chain to a trusted certificate that might not be self-signed.

And you can test it quite easily with the attached generated certs using:

  openssl verify [-partial_chain] \
    -CAfile test_CA/intermediate_CA/SSSD_test_intermediate_CA.pem \
    test_CA/intermediate_CA/SSSD_test_intermediate_CA_cert_x509_0001.pem

While when using -partial_chain will only match when using test_CA/intermediate_CA/SSSD_test_intermediate_CA_full_db.pem as CAfile