diff --git a/internal/pkg/gateway/registry.go b/internal/pkg/gateway/registry.go
index 8a8f5a5f7bd..4544d2bc1ca 100644
--- a/internal/pkg/gateway/registry.go
+++ b/internal/pkg/gateway/registry.go
@@ -353,7 +353,8 @@ func (reg *registry) connectChannelPeers(channel string, force bool) error {
 	for mspid, infoset := range reg.discovery.IdentityInfo().ByOrg() {
 		var tlsRootCerts [][]byte
 		if mspInfo, ok := config.GetMsps()[mspid]; ok {
-			tlsRootCerts = mspInfo.GetTlsRootCerts()
+			tlsRootCerts = append(tlsRootCerts, mspInfo.GetTlsRootCerts()...)
+			tlsRootCerts = append(tlsRootCerts, mspInfo.GetTlsIntermediateCerts()...)
 		}
 		for _, info := range infoset {
 			pkiid := info.PKIId
@@ -402,7 +403,8 @@ func (reg *registry) config(channel string) ([]*endpointConfig, error) {
 	for mspid, eps := range config.GetOrderers() {
 		var tlsRootCerts [][]byte
 		if mspInfo, ok := config.GetMsps()[mspid]; ok {
-			tlsRootCerts = mspInfo.GetTlsRootCerts()
+			tlsRootCerts = append(tlsRootCerts, mspInfo.GetTlsRootCerts()...)
+			tlsRootCerts = append(tlsRootCerts, mspInfo.GetTlsIntermediateCerts()...)
 		}
 		for _, ep := range eps.Endpoint {
 			address := fmt.Sprintf("%s:%d", ep.Host, ep.Port)
@@ -420,7 +422,9 @@ func (reg *registry) configUpdate(bundle *channelconfig.Bundle) {
 		var channelOrderers []*endpointConfig
 		for _, org := range ordererConfig.Organizations() {
 			mspid := org.MSPID()
-			tlsRootCerts := org.MSP().GetTLSRootCerts()
+			msp := org.MSP()
+			tlsRootCerts := append([][]byte{}, msp.GetTLSRootCerts()...)
+			tlsRootCerts = append(tlsRootCerts, msp.GetTLSIntermediateCerts()...)
 			for _, address := range org.Endpoints() {
 				channelOrderers = append(channelOrderers, &endpointConfig{address: address, mspid: mspid, tlsRootCerts: tlsRootCerts})
 				reg.logger.Debugw("Channel orderer", "address", address, "mspid", mspid)
diff --git a/internal/pkg/gateway/registry_test.go b/internal/pkg/gateway/registry_test.go
index c535f3ca955..c9ea4690c96 100644
--- a/internal/pkg/gateway/registry_test.go
+++ b/internal/pkg/gateway/registry_test.go
@@ -32,6 +32,7 @@ func TestOrdererCache(t *testing.T) {
 	orderers, err := test.server.registry.orderers(channelName)
 	require.NoError(t, err)
 	require.Len(t, orderers, 1)
+	require.Len(t, orderers[0].tlsRootCerts, 3) // 1 tlsrootCA + 2 tlsintermediateCAs
 
 	// trigger the config update callback, updating the orderers
 	bundle, err := createChannelConfigBundle(channelName, []string{"orderer1:7050", "orderer2:7050", "orderer3:7050"})
@@ -40,6 +41,7 @@ func TestOrdererCache(t *testing.T) {
 	orderers, err = test.server.registry.orderers(channelName)
 	require.NoError(t, err)
 	require.Len(t, orderers, 3)
+	require.Len(t, orderers[2].tlsRootCerts, 2) // 1 tlsrootCA + 1 tlsintermediateCA from sampleconfig folder
 }
 
 func TestStaleOrdererConnections(t *testing.T) {
@@ -75,8 +77,6 @@ func TestStaleOrdererConnections(t *testing.T) {
 
 func TestStaleMultiChannelOrdererConnections(t *testing.T) {
 	channel1 := "channel1"
-	// channel2 := "channel2"
-	// channel3 := "channel3"
 
 	def := &testDef{
 		config: buildConfig(t, []string{"orderer1", "orderer2"}),
@@ -121,6 +121,10 @@ func TestStaleMultiChannelOrdererConnections(t *testing.T) {
 func buildConfig(t *testing.T, orderers []string) *dp.ConfigResult {
 	ca, err := tlsgen.NewCA()
 	require.NoError(t, err)
+	ica1, err := ca.NewIntermediateCA()
+	require.NoError(t, err)
+	ica2, err := ica1.NewIntermediateCA()
+	require.NoError(t, err)
 	var endpoints []*dp.Endpoint
 	for _, o := range orderers {
 		endpoints = append(endpoints, &dp.Endpoint{Host: o, Port: 7050})
@@ -134,7 +138,8 @@ func buildConfig(t *testing.T, orderers []string) *dp.ConfigResult {
 		},
 		Msps: map[string]*msp.FabricMSPConfig{
 			"msp1": {
-				TlsRootCerts: [][]byte{ca.CertBytes()},
+				TlsRootCerts:         [][]byte{ca.CertBytes()},
+				TlsIntermediateCerts: [][]byte{ica1.CertBytes(), ica2.CertBytes()},
 			},
 		},
 	}