Some Certificate Authorities (CA) do not issue their signed certificates with the entire certificate chain, assuming that the client application using the certificate will have the CA implicitly trusted, as is common in desktop and server environments. Because the Gateway appliance trusts no entity implicitly, it may be necessary to import the entire certificate chain from the CA, to its intermediaries, down to the client certificate.
If this is not done, connections initiated with the certificate will be considered "untrusted" by the end user because the client application will not be able to verify the certificate chain--even if the certificate is issued by a known certificate authority.