A bunch of things on the internet say to do "-cafile intermediate.pem -cafile root.pem" or "-certfile intermediate.pem -certfile root.pem" and they explicitly say that calling these command-line options more than once is ok and will result in both the certs being included in the final pkcs12... But I have found this to be untrue.
I have found, that if I concatenate intermediate & root into a single glom file, and then I specify -certfile once for the glom, then my pfx file will include the complete chain. But if I use -certfile twice, I get no intermediate in my pfx. And I just wasted more time than I care to describe, figuring this out. So... While concatenation/glom is a viable workaround, I'd like to know, what's supposed to work? And was it a new feature introduced after a certain rev or something? I have OpenSSL 0.9.8y command-line on Mac OSX, and OpenSSL 1.0.1e command-line on cygwin. I believe I've seen the same behavior in both.
