When & How the Intermediate Certificates will be available to Browser

Question

I am aware that Root CAs will publish their Root Certificates to all Browser vendors (Google, Microsoft, Mozilla etc...). Then when we install any browser in our machine, it will also load all the Root CAs during the installation process.

My question is how the Intermediate Certificates of the Intermediate CAs will be loaded to our browser? When & how the browser will get the Intermediate Certificates so that the browser can validate the signature on the Intermediate Certificate when it receive from the Web Server during the hand-shake process.

Answer 1

Your server must send any intermediate certificates to the browser along with its own certificate.

RFC 5246, section 7.4.2 says:

certificate_list
This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.

TLS 1.3 and other protocols have a similar concept - certificates are sent as chains, not individually.