zh/en: add `buildChain` in `CertificateObject` (#547)

docs/config/transport.md

@@ -436,6 +436,7 @@ CipherSuites 用于配置受支持的密码套件列表, 每个套件名称之
   "ocspStapling": 3600,
   "oneTimeLoading": false,
   "usage": "encipherment",
+  "buildChain": false,
   "certificateFile": "/path/to/certificate.crt",
   "keyFile": "/path/to/key.key",
   "certificate": [
@@ -533,6 +534,14 @@ OCSP 装订更新，与证书热重载的时间间隔。 单位：秒。默认
 如已经拥有一个域名, 可以使用工具便捷的获取免费第三方证书,如[acme.sh](https://github.com/acmesh-official/acme.sh)
 :::
 
+> `buildChain`: true | false
+
+仅当证书用途为 `issue` 时生效，若值为 `true` ，签发证书时将CA证书嵌入证书链。
+
+::: tip TIP 1
+不应该将根证书嵌入证书链。该选项只适合在签名CA证书为中间证书时启用。
+:::
+
 > `certificateFile`: string
 
 证书文件路径，如使用 OpenSSL 生成，后缀名为 .crt。

docs/en/config/transport.md

@@ -410,6 +410,7 @@ The bootstrapping path and query params of the spider. It's recommended to have
   "ocspStapling": 3600,
   "oneTimeLoading": false,
   "usage": "encipherment",
+  "buildChain": false,
   "certificateFile": "/path/to/certificate.crt",
   "keyFile": "/path/to/key.key",
   "certificate": [
@@ -507,6 +508,14 @@ Use `xray tls cert` to generate self-signed CA certificate.
 If you already have a domain name, you can use tools to obtain free third-party certificates easily, such as [acme.sh](https://github.com/acmesh-official/acme.sh).
 :::
 
+> `buildChain`: true | false
+
+Only valid when `usage` is `issue`. When set to `true`, the CA certificate will be appended to leaf certificate as chain during issuing certificates.
+
+::: tip TIP 1
+Root certificates should not be embedded in the certificate chain. This option is only applicable when the signing CA certificate is an intermediate certificate.
+:::
+
 > `certificateFile`: string
 
 Path to the certificate file generated by OpenSSL, with the suffix `.crt`.