A
certificate chain goes Root CA → Intermediate CA(s) → End-entity certificate. Browsers verify the chain to the trusted root to establish trust.
Root CAs sign Intermediate CAs; Intermediate CAs sign end-entity (server) certs. Root CAs are offline and extremely protected. Intermediate CAs do the day-to-day signing. If any CA in the chain is compromised, all downstream certs are untrusted.