How do SSL chains work?

Why are intermediate certificate authorities required? When would an intermediate certificate be used?

Sometimes, to protect the root CA's private key, it is stored in a very secure location and only used to sign a few intermediate certificates, which then are used to issue end entity certificates. In case of compromise, the intermediates can be revoked quickly, without having to reconfigure every single machine to trust a new CA.

Another possible reason is delegation: for example, such companies as Google, which often use many certificates for their own networks, will have an intermediate CA of their own.

How do I verify the chain from the intermediate certificate to the root certificate?

Usually, the end entity (for example, a SSL/TLS web server) provides you with the entire certificate chain, and all you have to do is verify the signatures.

The last in that chain is the root certificate, which you already have marked as trusted.

For example, when you have a chain [user] → [intermed-1] → [intermed-2] → [root], the verification is like this:

1. Does [user] have [intermed-1] as its "Issuer"?

2. Does [user] have a valid signature by [intermed-1]'s key?

3. Does [intermed-1] have [intermed-2] as its "Issuer"?

4. Does [intermed-1] have a valid signature by [intermed-2]'s key?

5. Does [intermed-2] have [root] as its "Issuer"?

6. Does [intermed-2] have a valid signature by [root]'s key?

7. Since [root] is at the bottom of the chain and has itself as "Issuer", is it marked as trusted?

The process is exactly the same all the time; the existence and count of intermediate CAs does not matter. The user certificate can be signed by root directly, and it will be verified the same way.

What are examples of intermediate certificates that link to root certificates?

See the certificate information of https://twitter.com/ or https://www.facebook.com/ for chains containing three or four certificates. See also https://www.google.com/ for an example of Google's own certification authority.