Root CAs (called “trust anchors” in X.509 terminology) hold the highest position in the trust tree and are recognized by all clients (browser/OS) at all levels. Root CAs are responsible for identifying intermediate CAs and verifying their trustworthiness. The root CA uses its certificate’s private key to sign the certificates of the intermediate CAs (or, in the case of unchained certificates, the server certificate) under it. The trustworthiness of the root CA is thus “passed down” to the intermediate CAs; any CA that is validated by the root CA is automatically trusted by its clients.
The intermediate CA is the “middle-man” between the root and server certificates. The intermediate CA certificates are either signed by the root CA, or by another intermediate CA certificate signed by a root CA. The intermediate certificate, in turn, signs the server certificate. There is often one, or more, intermediate CA certificate in a chain. For the server certificate to be compatible with all its clients, the intermediate certificate has to be installed on the server. If not, it might prevent some browsers, mobile devices, applications, etc. from trusting the server certificate.
This is the certificate that’s publicly issued server to specific domains that the user needs authorization for. The server certificates are signed by the intermediate CA, and can be traced back to the root CA. When the Chain of Trust is verified, the client makes a secure connection with the server.