Your application (endpoint) server must send any intermediate certificates in the certificate chain, and the certificate chain must be in the correct order. The correct order is:
- Server certificate.
- Intermediate certificate that signed the server certificate if the server certificate was not signed directly by a root certificate.
- Intermediate certificate that signed the certificate in step 2.
- Any remaining intermediate certificates. Do not include the root certificate authority certificate. The root certificate is not sent by your server. Salesforce already has its own list of trusted certificates on file, and a certificate in the chain must be signed by one of those root certificate authority certificates.