Final answer:
Digital certificates for both root CAs and intermediate CAs are found pre-installed in browser and operating system trust stores, or are provided with your SSL/TLS certificate. The certificate chain needed to establish trust can be automatically sent to clients during the SSL/TLS handshake or manually installed by administrators for custom applications.
Step-by-step explanation:
Digital certificates for root Certificate Authorities (CAs) and intermediate CAs are often packaged within the web browsers or operating systems' trust stores. These trust stores come preloaded with a list of trusted root certificates that the browser or operating system vendor has established; this is why you generally do not have to manually install a root certificate when you visit a secure website – your system already trusts it.
If an entity has a certificate issued by an intermediate CA, the browser or system needs to construct a certificate chain that leads back to a trusted root CA. This chain usually comes packaged with your SSL/TLS certificate. When you receive your certificate from a Certificate Authority, they provide you not only with your domain's certificate but also with the intermediate certificates necessary to establish trust with root CAs that are already installed in the client systems' trust stores.
Web servers are configured to send the required chain of intermediate certificates during the SSL/TLS handshake process so that the client's system can verify the authenticity of the certificate and the security of the connection. For applications and custom implementations, administrators may need to manually install both the certificate and the intermediate certificates to ensure proper trust validation.