There are three parts to a cert chain:
Root Certificate: A root certificate is a digital certificate issued by the Certificate Authority that issued it. Most browsers have it pre-installed and saved in a “trust store.” CAs keep a close eye on the root certificates.

Intermediate Certificate: Intermediate certificates, like tree branches, branch out from root certificates. They serve as a link between the protected root certificates and the publically issued server certificates. There will always be at least one intermediate certificate in a chain, but there may be more.

Server Certificate: The server certificate is the one that is granted to the exact domain for which the user needs protection.


A certificate chain is a collection of certificates (typically beginning with an end-entity certificate) followed by one or more CA certificates (generally ending with a self-signed certificate), with the following properties:

-Each certificate’s issuer (save the final) corresponds to the topic of the next certificate in the list.

-The secret key corresponding to the next certificate in the chain is supposed to sign each certificate (save the last one) (i.e. the signature of one certificate can be verified using the public key contained in the following certificate).

-The trust anchor is the last certificate on the list: a certificate that you trust because it was supplied to you via a reliable mechanism. A trust anchor is a CA certificate (or, more precisely, a CA’s public verification key) that is used as the beginning point for path validation by a relying party.

Read more about it here: