To elaborate on Erik's comment, trusting the Root CA certificate means
that you will trust what the Root CA directly signs.
If you have an intermediate Sub CA in the middle, its certificate is
signed by the Root CA, and the Sub CA signs your certificate directly.
Root CA ---signs/verifies---> Sub CA ---signs/verifies--->
End user certificate
As Erik said, if you do not have the Sub CA certificate present, then
there is no way to link the Root CA to the End user certificate. The Root
can verify the Sub CA certificate, and the Sub CA can verify the End user
certificate, but there is no way for the Root to skip over the Sub CA and
verify the End user certificate because the root did not sign the End user
2 ways to resolve this are:
- include the Sub CA cert in your trusted certificates OR
- make sure the Sub CA cert is included with the end user certificate so
can be established.