Add para about cert chains

Rand McKinney · Rand McKinney · commit 20a6df7da20c · 2024-08-08T11:30:02.000-07:00
diff --git a/docs/manifest/signing-manifests.md b/docs/manifest/signing-manifests.md
@@ -49,7 +49,7 @@ Although not recommended due to complexity and difficulty, you can create your o
 
 ### Signature types
 
-The following table describes the signature algorithms and recommended signature types that the [C2PA Tool](/docs/c2patool) and [Rust library](/docs/rust-sdk) support. You must supply credentials (certificates and keys) that correspond to the signing algorithm. Signing/validation will fail if the the supplied credentials don't support the signature type. 
+The following table describes the signature algorithms and recommended signature types that the CAI SDK supports. You must supply credentials (certificates and keys) that correspond to the signing algorithm. Signing/validation will fail if the the supplied credentials don't support the signature type. 
 
 | Certificate `signatureAlgorithm` | Description  | Recommended signature type | RFC Reference |
 | -------------------------------- | ------------ | -------------------------- | ------------- |
diff --git a/docs/prod-cert.mdx b/docs/prod-cert.mdx
@@ -17,6 +17,8 @@ When you purchase a certificate, you must select at least one of the extended ke
 
 The process to purchase a certificate and key is different for each CA: You might be able to simply click a "Buy" button on the CA's website. Or your can make your own key, create a certificate signing request (CSR), and send it to CA. Regardless of the process, what you get back is a signed certificate that you use to create a certificate chain.
 
+The certificate chain starts with the certificate from the last tool that signed the manifest (known as the "end-entity") followed by the certificate that signed it, and so on, back to the original CA issuer. This enables a validating application to determine that the manifest is valid because the certificate chain goes back to a trusted root certificate authority.
+
 ### Certificate signing requests (CSRs)
 
 A CSR is just an unsigned certificate that's a template for the certificate that you're requesting. The CA create a new certificate with the parameters specified in the CSR, and signs it with their root certificate, which makes it a "real" certificate.
