openssl: ssl link protocol error that can not obtain the certificate from the local sender

I have a problem with the new integration that I am working on.
You should consume a web service provided by an external company and this service is done through https, so in order to integrate them, they have shared three certificates:

  1. Root.cer
  2. Sahred.cer and the sender is Root.cer.
  3. user.cer and the sender is Shared.cer

I installed them all and executed the following commands without blocking.

The openssl connect command for the web service with the showcerts option

openssl s_client -showcerts -connect https://example.com:8443

exit:

CONNECTED (00000003)
depth = 1 C = United Kingdom, O = EXA, OU = EXA eTrust Center, CN = EXA Shared CA
Verification error: num = 20: the local issuer certificate can not be obtained
140539532310416: Error: 14094410: SSL routines: ssl3_read_bytes: alert recognition failure sslv3: s3_pkt.c: 1493: SSL alert number 40
140539532310416: error: 140790E5: SSL routines: ssl23_write: link protocol failure ssl: s23_lib.c: 177:
---
Certificate chain
0 s: / C = SA / O = EXA / OU = EXA eTrust Center / CN = example.com
i: / C = SA / O = EXA / OU = EXA eTrust Center / CN = EXA Shared CA
----- BEGIN CERTIFICATE -----
-----------
----- FINAL CERTIFICATE -----
1 s: / C = SA / O = EXA / OU = EXA eTrust Center / CN = EXA Shared CA
i: / C = SA / O = EXA / OU = EXA eTrust Center / CN = EXA CA Root
----- BEGIN CERTIFICATE -----
------
----- FINAL CERTIFICATE -----
---
Server certificate
subject = / C = SA / O = EXA / OU = EXA eTrust Center / CN = example.com
emitter = / C = SA / O = EXA / OU = EXA eTrust Center / CN = EXA Shared CA
---
Client certificate CA names have not been sent

Command curl with handshake debugging:

curl -X POST https://example.com:8443 -iv

exit:

    * TLSv1.2 (OUT), TLS header, certificate status (22):
} [5 bytes data]
 * TLSv1.2 (OUT), TLS link protocol, hello client (1):
} [512 bytes data]
 * TLSv1.2 (IN), TLS link protocol, hello server (2):
{ [87 bytes data]
 * TLSv1.2 (IN), TLS link protocol, certificate (11):
{ [3593 bytes data]
 * TLSv1.2 (OUT), TLS alert, hello server (2):
} [2 bytes data]
 * SSL certificate problem: the local issuer certificate can not be obtained
* stopped the pause sequence!

Curl command with handshake debugging and omission verification:

curl -X POST https://example.com:8443 -iv -k

exit:

    * TLSv1.2 (OUT), TLS header, certificate status (22):
} [5 bytes data]
 * TLSv1.2 (OUT), TLS link protocol, hello client (1):
} [512 bytes data]
 * TLSv1.2 (IN), TLS link protocol, hello server (2):
{ [87 bytes data]
 * TLSv1.2 (IN), TLS link protocol, certificate (11):
{ [3593 bytes data]
  0 0 0 0 0 0 0 0 -: -: - -: -: - -: -: - 0 * TLSv1.2 (IN), TLS link protocol, server key exchange (12):
{ [333 bytes data]
 * TLSv1.2 (IN), TLS link protocol, CERT request (13):
{ [36 bytes data]
 * TLSv1.2 (IN), TLS link protocol, finished server (14):
{ [4 bytes data]
 * TLSv1.2 (OUT), TLS link protocol, certificate (11):
} [7 bytes data]
 * TLSv1.2 (OUT), TLS link protocol, client key exchange (16):
} [70 bytes data]
 * TLSv1.2 (OUT), TLS change encryption, hello client (1):
} [1 bytes data]
 * TLSv1.2 (OUT), TLS link protocol, completed (20):
} [16 bytes data]
 * TLSv1.2 (IN), TLS alert, hello server (2):
{ [2 bytes data]
 * error: 14094410: SSL routines: ssl3_read_bytes: alert recognition failure sslv3

My questions:

  • What are the benefits of creating three certificates with the issuer?
    how that ?
  • Why has the ssl handshake failed? Did I miss something in my orders?
  • Do you have any idea how I can handle these certificates or at least how this communication works?
  • I really do not understand how this communication works. How can I present these certificates without any private key? Based on my
    understanding when we want to create SSL-based authentication I
    You should create a public key and a private key and you should share this
    Public key with the external company, so they can decipher the message.
    When encrypted by my private key. is this correct ?

I have also posted a question with java on stackoverflow without blocking, you can have a look for more information
https://stackoverflow.com/questions/53420158/ssl-handshake-failure-client-certifcate-not-being-sent