It is possible for a single-entity certificate to have a list of signing certificates leading up to the original, self-signed root certificate. Such a certificate list, with each certificate signed by the next, is termed a certificate chain.

With a certificate chain, it is necessary to validate each subsequent signature in the list until a trusted CA certificate is reached. For Java and JMS clients that use SSL with Broker (Entrust certificate format), you must include the entire chain of certificates in a keystore and truststore. (For Broker clients using OpenSSL, that restriction is not necessary.) Also, any root CA certificates in use by clients must be in the Broker Server's truststore.