A device uses Intermediate Certification Authorities (CAs) to enable it to trust root CAs that are different from the root CA that signed its own certificate.

A user must manually choose to trust intermediate and end-entity certificates, or those certificates must be installed on the device as trusted in advance.

Root Certification Authorities (CAs) primarily sign certificates, and Intermediate Certification Authorities (CAs) primarily validate signatures.

A user must manually choose to trust a root Certification Authority (CA) certificate, or the root CA certificate must be installed on the device as trusted.