Certificate chain also known as certification path is the list of certificates used to authenticate the subject. The path starts with the subject’s certificate. Each level up is identified by “Issuer” filed of the certificate. This is the case until we reach the root CA certificate. This certificate is signed by the root CA itself as it is at the top of the hierarchy. Certificate chain allows us to verify the whole trust chain. If any of the certificates in the path fails validation the end certificate cannot be trusted.
Graphic sourced from: http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10600_.htm
Certificate issued to an endpoint. Issued by the subordinate CA IssuingCA-DC1.kp.local
Subordinate CA certificate issued by ORCA1-CA
Root CA certificate issued and signed by the CA itself
It is important to note that whether certificate chain is checked depends on the implementation of the application. While most of applications and operating systems validate the path some do not. For example some versions of Android don't check the path. We should always test to ensure expected results.