It just says that the CA you bought it from is trusted by another CA, and that is trusted by another CA, all the way up to the root CA.
The one I got was from PositiveCA, aka Comodo, and it’s chain was just one CA long.
But, if you install the cert into your servers, Firefox and Thunderbird will throw up a warning dialog box saying these aren’t trusted. How do you get rid of that?
The answer, for Courier IMAP, is to put all the certs into the PEM file where you have your key and cert.
Courier IMAP requires you to put your private key that was used to generate the certificate signing request and cert into a PEM file. Mine starts with the key, then the certificate that was sent back.
To that, append the certificate that certifies your certificate. Mine was PositiveSSLCA2.crt.
The next link up in my chain was the AddTrust cert, and it’s a root cert that’s included with Thunderbird, so I left it out.
If you have a longer chain, you keep adding certificates, so that each certificate verifies the one just preceding it.
And how it works…
When you use it, the certificate chain is sent along with the cert. The client then adds the intermediate CAs in the chain into it’s database of certificate authorities.
Your site is verified, and the client is happy.