I'm trying to get to grips with verifying chains.

I can create some keys:
openssl genrsa -out key/1 512
openssl genrsa -out key/2 512
openssl genrsa -out key/3 512

I create a self-signed certificate for the first key:
openssl req -new -x509 -nodes -sha1 -key key/1 -out 1
(with an OU of 1)

And certificate requests for the other two:
openssl req -new -key key/2 -out req/2
openssl req -new -key key/3 -out req/3
(OUs of 2 and 3 respectively).

These requests are then signed to create a chain:
openssl x509 -req -in req/2 -CA 1 -CAkey key/1 -set_serial 01 -out 2
openssl x509 -req -in req/3 -CA 2 -CAkey key/2 -set_serial 01 -out 3

So what I have is certificate 1 that is self-signed, 2 signed by 1 and 3
signed by 2.

I can verify 2 with 1:
openssl verify -CAfile 1 2

What I don't seem to be able to do is verify 3 with 2:
openssl verify -CAfile 2 3

I get:
3: /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/OU=2
error 2 at 1 depth lookup:unable to get issuer certificate

What am I doing wrong? Should I be able to verify a chain of certificates
one at a time (i.e.verify 2 against 1 then later 3 against 2)?

Cheers

--
Sven