I created three certificates -- for the root CA, the intermediate CA and the server. They represent the simple chain of trust:
server -> intermediate -> root
The question is how correctly put them on the client and the server.
I have two options:
Put root certificate in the client trustStore and other -- intermediate and server certificates to the server keyStore. Thus server will send two certificates and client will validate server certificate with intermediate which will be validated with root certificate stored in client's trustStore.
Put root and intermediate certificates to client trustStore when the server will store only its own certificate in keyStore.
Enlighten me :)
When I've set up web servers with intermediate certificates I've put the intermediate certs on the server. Its the server's job to prove its identity to the client, and to do this it sends out the certificate hierarchy (intermediate certs) between the webserver certificate and the trusted root, as the client may not have these. So your option 1 would be the way to go I think.