diff --git a/gen/jsonschema/schemas/CertificateAuthority.schema.json b/gen/jsonschema/schemas/CertificateAuthority.schema.json
index f8bbffad..1451d307 100644
--- a/gen/jsonschema/schemas/CertificateAuthority.schema.json
+++ b/gen/jsonschema/schemas/CertificateAuthority.schema.json
@@ -16,7 +16,7 @@
                 "certChain": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
                     "additionalProperties": false,
-                    "description": "The certificate chain for this CA."
+                    "description": "The certificate chain for this CA. The last certificate in the chain MUST be the trust anchor. The trust anchor MAY be a self-signed root CA certificate or MAY be an intermediate CA certificate."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",
diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
index 7805695a..01aa6008 100644
--- a/gen/jsonschema/schemas/Input.schema.json
+++ b/gen/jsonschema/schemas/Input.schema.json
@@ -545,7 +545,7 @@
                 "certChain": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
                     "additionalProperties": false,
-                    "description": "The certificate chain for this CA."
+                    "description": "The certificate chain for this CA. The last certificate in the chain MUST be the trust anchor. The trust anchor MAY be a self-signed root CA certificate or MAY be an intermediate CA certificate."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",
diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json
index d03bacd5..fd26f81b 100644
--- a/gen/jsonschema/schemas/TrustedRoot.schema.json
+++ b/gen/jsonschema/schemas/TrustedRoot.schema.json
@@ -195,7 +195,7 @@
                 "certChain": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
                     "additionalProperties": false,
-                    "description": "The certificate chain for this CA."
+                    "description": "The certificate chain for this CA. The last certificate in the chain MUST be the trust anchor. The trust anchor MAY be a self-signed root CA certificate or MAY be an intermediate CA certificate."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",
diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
index 86e12de4..21ec693f 100644
--- a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
+++ b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
@@ -134,7 +134,9 @@ type CertificateAuthority struct {
 	// by the certificate authority to interact with the certificate
 	// authority.
 	Uri string `protobuf:"bytes,2,opt,name=uri,proto3" json:"uri,omitempty"`
-	// The certificate chain for this CA.
+	// The certificate chain for this CA. The last certificate in the chain
+	// MUST be the trust anchor. The trust anchor MAY be a self-signed root
+	// CA certificate or MAY be an intermediate CA certificate.
 	CertChain *v1.X509CertificateChain `protobuf:"bytes,3,opt,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
 	// The time the *entire* chain was valid. This is at max the
 	// longest interval when *all* certificates in the chain were valid,
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
index 63b3e85d..66c851ce 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
@@ -58,7 +58,11 @@ class CertificateAuthority(betterproto.Message):
     """
 
     cert_chain: "__common_v1__.X509CertificateChain" = betterproto.message_field(3)
-    """The certificate chain for this CA."""
+    """
+    The certificate chain for this CA. The last certificate in the chain MUST
+    be the trust anchor. The trust anchor MAY be a self-signed root CA
+    certificate or MAY be an intermediate CA certificate.
+    """
 
     valid_for: "__common_v1__.TimeRange" = betterproto.message_field(4)
     """
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs
index 662c35ee..3fa8fa80 100644
--- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs
+++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs
@@ -52,7 +52,9 @@ pub struct CertificateAuthority {
     /// authority.
     #[prost(string, tag = "2")]
     pub uri: ::prost::alloc::string::String,
-    /// The certificate chain for this CA.
+    /// The certificate chain for this CA. The last certificate in the chain
+    /// MUST be the trust anchor. The trust anchor MAY be a self-signed root
+    /// CA certificate or MAY be an intermediate CA certificate.
     #[prost(message, optional, tag = "3")]
     pub cert_chain: ::core::option::Option<
         super::super::common::v1::X509CertificateChain,
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
index f9edbaa3..5689ad9f 100644
Binary files a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin and b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin differ
diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
index f5d4821c..433fb9af 100644
--- a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
+++ b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
@@ -55,7 +55,11 @@ export interface CertificateAuthority {
    * authority.
    */
   uri: string;
-  /** The certificate chain for this CA. */
+  /**
+   * The certificate chain for this CA. The last certificate in the chain
+   * MUST be the trust anchor. The trust anchor MAY be a self-signed root
+   * CA certificate or MAY be an intermediate CA certificate.
+   */
   certChain:
     | X509CertificateChain
     | undefined;
diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto
index b7a8a9a4..7a4ca501 100644
--- a/protos/sigstore_trustroot.proto
+++ b/protos/sigstore_trustroot.proto
@@ -54,7 +54,9 @@ message CertificateAuthority {
         // by the certificate authority to interact with the certificate
         // authority.
         string uri = 2;
-        // The certificate chain for this CA.
+        // The certificate chain for this CA. The last certificate in the chain
+        // MUST be the trust anchor. The trust anchor MAY be a self-signed root
+        // CA certificate or MAY be an intermediate CA certificate.
         dev.sigstore.common.v1.X509CertificateChain cert_chain = 3;
         // The time the *entire* chain was valid. This is at max the
         // longest interval when *all* certificates in the chain were valid,