When users connect to your service that has the Entrust Cross Chain deployed the users browser will rate the two paths and provide each path with a score, whichever path has the highest score will be the path of trust the user browser will use to create the SSL/TLS connection.
This is the best deployment option as it offers the best Root ubiquity to the users connecting to your service, your services will be ready for when Microsoft removes trust for SHA1 Certificates
If the user does not have the G2 Root and is connecting to your service that has the Entrust Cross Chain deployed the EV Root will be used to create the path of trust for the SSL/TLS connection
EV Root ==> L1K Cross Certificate ==> L1K Chain ==> Public Certificate
2 Level Certificate Deployment
Download Direct Chain: https://www.entrust.com/l1k-certificates/L1K-2048-Xcert_sha256.cer
When using the Entrust direct cross chain to the L1K Intermediate certificate the following path will be provided as the path of trust:
Entrust 2048 SHA-1 Root ==> L1K X-Chain ==> Public Certificate
This option does provide a high level of Root ubiquity but will require maintenance in the future as it does not fully support SHA2 because of the use of the Entrust 2048 SHA1 Root, you will be required to update the Chain certificate before December 31st 2016 to ensure that services will not be affected by the Microsoft removal of SHA1 trust.