There are three types of digital certificates that are involved in producing a digital signature:
The "end" or "signing" certificate, which contains the public key to be used to validate the actual digital signature.
One or more "intermediate" Certification Authority (CA) certificates, which contain the public keys to validate the signing certificate or another intermediate certificate in the chain.
The "root" CA certificate, which contains the public key used to validate the first intermediate CA certificate in the chain (or, rarely, the signing certificate directly). An otherwise valid signature is "trusted" by TMWS if the CA certificate of the signature is known to TMWS and is active.
If TMWS encounters an unknown CA certificate during SSL handshake processing, it automatically saves the certificate in the Inactive CA Certificates list. Intermediate and root CA certificates are collected in this way. If required later, a CA certificate collected in this way can be "activated" (made trusted or untrusted by TMWS) so that the signatures of websites depending on it can be processed as valid or invalid.