Verifying a file signature with openssl dgst

The problem was in my ssl.conf file in Apache. It was overriding the VirtualHost settings for the domain in httpd.conf, so I moved my VirtualHost settings into ssl.conf ahead of the default:443 VirtualHost entry. Doing this resolved my issue.

Thanks again to Shane Madden for all of the help on this issue.

The answer (as explained in this security.SE post) is that the two GeoTrust Global CA certificate you see in the chain are in fact not the same certificate, one is derived from the other.

Because of CA Cross-signing!

When the GeoTrust Global CA certificate was first created and signed, no computer/browsers/applications would have had it in their trust store.

By having another CA (with a pre-existing reputation and distribution) sign the GeoTrust root CA cert, the resulting certificate (referred to as a "bridge" certificate) can now be verified by the second CA, without the GeoTrust root CA certificate having to be trusted by the client explicitly.

When Google presents the Cross-signed version of the GeoTrust root CA cert, a client that doesn't trust the original can just use the Equifax CA cert to verify GeoTrust - so Equifax acts as a kind of "legacy" trust anchor.