In article <m3mzo6irj8.fsf@lhwlinux.garlic.com>,
Anne & Lynn Wheeler <lynn@garlic.com> wrote:

>these certification authority root public keys can be used for
>directly signing customer digital certificates .... or, in some cases,
>they may be used for signing other organization digital certificates
>containing their own unique public keys.
>
>in a standard PKI trust hierarchy ... the root public key may be used
>for signing subsidiary certificates containing subsidiary public keys
>... and then the subsidiary public keys are used for directly signing
>general digital certifictaes.
>
>as a result ... you may find a ca that has a root public key
>pre-installed in large number of different browsers ... but it is one
>of the organization's subsidiary public keys that might be signing
>your specific digital certificate.

And you have to remember to include the subsidiary CA's certificate
along with your own (e.g. via the "SSLCACertificateFile" directive in
Apache), otherwise your certificate might not be recognized.