When chaining the certificate for use with an internal Sandbox (CASMA) appliances, the order in which the servers are chained is different depending on which type of CA is used.

When chaining the certificate for use with a public CA or self-signed certificate, the order is the same; server, intermediate(s), root.

When chaining the certificate for use with an internally-signed CA, the order is the opposite; root, intermediate(s), server.