SSL Certificate Chain Checker

What Is an SSL Certificate Chain?

An SSL certificate chain (also called a chain of trust) is the sequence of certificates that links your server's certificate to a trusted root Certificate Authority (CA). When a browser connects to your site, it verifies each certificate in the chain: the leaf certificate (your server's cert), one or more intermediate certificates, and finally a root certificate pre-installed in the browser's trust store.

If any link in the chain is missing, expired, or misconfigured, browsers will show a security warning and visitors may not be able to reach your site.

Common Certificate Chain Problems

• Missing intermediate certificate — the most common issue. Your server sends only the leaf cert but not the CA's intermediate. Some browsers cache intermediates and work anyway, but others (especially mobile browsers and API clients) will fail.
• Expired intermediate or root certificate — even if your leaf cert is valid, an expired intermediate breaks the chain.
• Hostname mismatch — the certificate's Common Name or Subject Alternative Names don't match the domain being accessed.
• Wrong certificate order — certificates must be sent in order: leaf first, then intermediates.
• Self-signed certificates — the certificate is not issued by a trusted CA.

How to Fix an Incomplete Certificate Chain

1. Use this tool to identify which intermediate certificates are missing.
2. Download the correct intermediate certificate(s) from your Certificate Authority's website.
3. Concatenate the certificates in order — leaf certificate first, followed by intermediates — into a single file (often called a "full chain" or "CA bundle").
4. Update your web server configuration to use the full chain file.
5. Restart your web server and re-check with this tool to verify the fix.

Frequently Asked Questions

Why is my SSL certificate not trusted?

The most common reason is a missing intermediate certificate. Your server must send the complete chain (leaf + intermediates).

What is an intermediate certificate?

An intermediate certificate sits between your server's leaf certificate and the root CA. CAs use intermediates to sign leaf certificates instead of signing directly with the root, which stays offline for security.

My certificate works in Chrome but not in other browsers. Why?

Chrome caches intermediate certificates and can sometimes build the chain even when your server doesn't send it. Other browsers (Firefox, Safari) and most API clients don't do this and will reject an incomplete chain.