Hi CF,

End entity certificates chained to an intermediate certificate  represent the highest possible security solution for Certification  Authorities and therefore their customers.  There exists a very small  possibility, consistent amongst all certification authorities, that the  certificate used to sign end entity certificates could be compromised.  The signing process itself mandates that the signing certificate must be  accessible in order to perform the signing operation.  In the case of  an intermediate certificate, the corresponding root certificate is  secured/locked away, eliminating the possibility of it being compromised  by daily signing processes.  End entity certificates directly signed by  root certificates (i.e. no intermediate protection) provide no recourse  should the root certificate itself become compromised. If an  Intermediate were to be compromised then new intermediates could be  created and new end entity certificates could be issued.

Once a  root itself is compromised there is no solution or replacement strategy.   It is therefore considered industry best practice to use intermediate  certificates.

Courtesy : WhichSSL

Now coming to ACE , we need to configure the certificate chain group , to allocate all the root certificates , if we miss one of the root certificate in the chain group , end user will be getting the certificate warning.

So it is complusory we shold configure the chaingroup will all the root certificate assosicated with the Intermediate certificate.

HTH,

PMD