Currently, we export two files, root.pem and chain.pem. OpenSSL CLI only parses the first certificate from the chain, intermediate CAs have to be added using the -untrusted option.