My app uses SSL to communicate securely with a server and it's having trouble verifying the certificate chain. The chain looks like this:

Entrust.net Secure Server Certification Authority -> DigiCert Global CA -> *.ourdomain.com

We are using a certificate store pulled from Mozilla. It contains the Entrust.net certificate, but not the DigiCert Global CA one.

My understanding is that an intermediate authority doesn't have to be trusted as long as the root authority is, but the verification fails:

% openssl verify -CAfile mozilla-root-certs.crt ourdomain.com.crt
error 20 at 0 depth lookup:unable to get local issuer certificate

So do I need to explicitly trust the DigiCert Global CA in order for verification to pass? That seems wrong. But you tell me!

EDIT: I now understand that the certificate file needs to be available to OpenSSL up front. Something like this works:

% openssl verify -CAfile mozilla-root-certs.crt -untrusted digicert.crt ourdomain.com.crt
ourdomain.com.crt: OK

This allows me to provide a copy of the DigiCert CA without explicitly saying "I trust it", the whole chain still needs to be verified.

But surely browsers like Firefox won't always ship with a copy of every single certificate it'll ever need. There's always going to be new CAs and the point is to use the security of the root certificate to make sure all intermediate CAs are valid. Right? So how does this work? Is it really as silly as it looks?