SSL / Intermediate Certs in SSL profiles

There's actually a few places in the client SSL profile to inject certificate authorities, but I'm going to assume you mean the chain option at the top of the profile, right under the Certificate and Key selection.

The are two things to understand about this Chain option:

1. It is intended to "help" the client by providing any CA certificates the client may not have in order to build a complete trust chain. During the SSL handshake, and directly after the server's ServerHello message, the server sends a Certificate message that contains its certificate (what you've loaded in to the profile's Certificate selection), and optionally a group of CA certificates (what you've loaded into the Chain selection).

    

2. It should NEVER include the root CA. The client should explicitly trust the root CA, and by default most browser agents will simply ignore a root CA in the server's certificate message. The Chain selection is intended solely for intermediate CA certificates, and can either be a single intermediate CA or a "bundle" of intermediates. A bundle is created by concatenating the PEM-formatted certificates into a single text file and importing that as a single certificate.