S/MIME is based on Public Key Infrastructure (PKI). PKI is a technology which can be used to securely exchange information over insecure networks using public key cryptography. PKI uses X.509 certificates to bind a public key to an identity. S/MIME uses a hierarchical trust model where trust is inferred bottom-up. The root of the trust hierarchy is blindly trusted. All the leaf nodes and branches (the end-user and intermediate certificates) are trusted because they are children of the trusted root.
In PKI, the trust chain, from root to end-user certificate, is built using a chain of signed certificates. The root certificate signs the intermediate certificate and the intermediate certificate signs the end-user certificate. A certificate is signed using the private key of the issuer. Any changes to the certificate after signing will break the signature and will make the certificate invalid.