Resolution:
If chain certificates include the following:

CA1.cert.pem
CA2.cert.pem (signed by CA1.cert.pem)
server.cert.pem (signed by CA2.cert.pem)

You can import CA1 and CA2 to the certificate store, or you can import only the root "CA1" into the store.

To import both CA1 and CA2:

1). Installing CA certificates on the client machine:

Open "Certificate" in MMC Snap-in
Go to "Intermediate Certificate Authorities"
Go to "Certificate"
Import "CA2.cert.pem".

Go to "Trusted Root Certificate Authorities"
Go to "Certificate"
Import "CA1.cert.pem".

2). In tibemsd.conf, configure the following, i.e:

ssl_server_identity     = server.cert.pem
ssl_server_key          = server.key.pem
ssl_password = password

If only CA1 is imported, applications can provide CA2 with API " EMSSSLFileStoreInfo.SetSSLTrustedCertificate(CA2)".