What Is an SSL Certificate Chain?
When a browser opens your site over HTTPS, it does not simply trust the certificate you installed. Instead it follows a certificate chain - an ordered set of certificates that links your website's certificate, through one or more intermediates, back to a root certificate the browser already trusts. That linked sequence is the chain of trust, and getting it right is the single most common cause of TLS errors that pass in one browser yet fail in others. This guide explains the three kinds of certificate involved, why intermediates exist, how validation actually works, how to fix an "incomplete chain" error, how to renew a certificate without breaking the chain, and how to inspect a real chain yourself.
The chain of trust: root, intermediate and leaf
A digital certificate proves that a particular public key belongs to a particular domain. But a browser has no prior relationship with your domain, so it cannot trust your certificate on its own. What it can trust is a small, curated set of root certificates that ship pre-installed inside its trust store - the list of Certificate Authorities (CAs) the browser or operating system vendor has vetted. The chain is the bridge between your unknown certificate and one of those known, trusted roots.
There are three roles a certificate can play in that bridge:
| Certificate | Also called | Signed by | Where it lives |
|---|---|---|---|
| Root | Trust anchor, CA root | Itself (self-signed) | Client trust store |
| Intermediate | Issuing CA, subordinate CA | The root (or another intermediate) | Sent by your server |
| Leaf | Server, end-entity, domain certificate | An intermediate | Installed on your server |
Read the chain from the bottom up. Your leaf certificate (the one issued
for example.com) is signed by an intermediate. That
intermediate is signed by the root. The root is signed by itself, which is
why it is called self-signed and why it can only be trusted because it is already in the
client's trust store rather than because something above it vouched for it. Each signature is
a cryptographic statement that says "I, the issuer, vouch for the certificate below me." Follow
those statements upward and you arrive at a trust anchor.
Why intermediate certificates exist
If the root can sign certificates, why not let it sign your leaf directly and skip the intermediate? The answer is risk management. The private key behind a root certificate is the most valuable secret a Certificate Authority owns: if it were ever stolen, every certificate that traces back to it would become suspect, and because roots are baked into billions of devices, replacing one is slow and painful. Intermediates exist so the root almost never has to be used at all.
Issuing through an intermediate delivers several practical benefits:
- The root key stays offline. The root signs only a handful of intermediates and is then kept air-gapped in a secured facility. Day-to-day issuance is performed by the intermediate, so the crown-jewel key is rarely exposed.
- Damage can be contained. If an intermediate's key is compromised, the CA can revoke just that intermediate rather than the entire root, limiting the blast radius without forcing a device-wide root replacement.
- Issuance can be delegated and specialised. A CA can run different intermediates for different products - for example one for short-lived automated certificates and another for organisation-validated certificates - and rotate them independently.
- Roots can be retired gracefully. Because clients trust the root, a CA can cross-sign a new intermediate from both an old and a new root, smoothing the transition while older devices catch up.
The cost of all this is the chain itself. Because there is an intermediate between your leaf and the trusted root, your server has to hand that intermediate to every client - and forgetting to do so is exactly what produces the errors covered below.
How chain validation actually works
When a client connects, the TLS handshake includes the certificates your server chooses to send. The client then performs path building and path validation: it tries to construct an unbroken chain from your leaf certificate up to a root it already trusts, and it checks every link along the way. In practice the client verifies, for each certificate:
- The signature. Each certificate must be correctly signed by the public key of the certificate directly above it. This is the mathematical proof that the issuer vouched for the subject.
- The names match. The "issuer" field on a certificate must match the "subject" field of the one above it, so the links genuinely connect.
- Validity dates. Every certificate in the path must be currently within its not-before and not-after window. An expired intermediate breaks the chain just as surely as an expired leaf.
- Revocation status. The client may check whether a certificate has been revoked, for example through OCSP or a certificate revocation list, before accepting it.
- The chain ends at a trusted root. The top of the constructed path must be a root present in the client's trust store. If the path cannot reach such a root, validation fails.
The crucial and often-missed point is the division of labour. The server is
responsible for sending the leaf and the intermediates; the client supplies the root from its
own trust store. You should not send the root yourself - it adds nothing, because a
client will never trust a root just because a server offered it, and it only enlarges the
handshake. The correct material to install is your leaf followed by the intermediate or
intermediates, ordered from leaf upward. A file containing exactly that is usually called a
fullchain file, and installing it is what keeps strict clients happy.
"Incomplete chain" errors and how to fix them
By far the most common chain problem is the incomplete chain, also described as a missing intermediate or "unable to get local issuer certificate." It happens when the server presents only the leaf certificate and omits the intermediate that links it to the root. The symptom is maddening because it is inconsistent:
- Desktop Chrome often looks fine. Many desktop browsers implement AIA fetching: when an intermediate is missing, they read the leaf's Authority Information Access extension, download the intermediate from the URL listed there, and complete the chain on their own. The padlock appears and you assume all is well.
- Stricter clients fail. Plenty of clients do not chase down the missing intermediate. Command-line TLS tools, many mobile apps, older Java environments, some IoT devices and certain payment or API gateways will simply report the certificate as untrusted. This is why a site that "works in my browser" can still break a mobile app or an integration.
To fix an incomplete chain:
- Get the correct intermediate. Your Certificate Authority provides the intermediate (and any additional intermediates) alongside your leaf when the certificate is issued. If you have lost it, download it again from the CA.
- Build the full chain in the right order. Concatenate your leaf certificate first, then the intermediate(s), into a single bundle - leaf at the top, intermediate below, never the root. Many automated tools produce a
fullchain.pemthat already does this. - Point the web server at the bundle. Configure your server to serve the full chain rather than the bare leaf, then reload it so the new configuration takes effect.
- Re-test from a strict client, not just your browser. Because a browser may mask the problem with AIA fetching, confirm the fix with a tool that reports exactly what the server sent.
Other chain faults follow the same theme: certificates installed in the wrong order, a mismatched intermediate that does not actually correspond to the leaf, or an expired intermediate. All of them stop a client from building a clean path to a trusted root, and all of them are caught by inspecting the live chain. You can run a focused scan with our SSL Analyzer, which connects to your site and shows each certificate it received in order, flagging a missing or out-of-order intermediate.
Renewing a certificate without breaking the chain
Renewing an SSL certificate sounds like a simple swap, but it is one of the most frequent ways a previously healthy site suddenly serves a broken chain. The reason is that renewal is not only about the leaf. When you renew, reissue or rotate a certificate, the Certificate Authority may sign the new leaf with a different or newer intermediate than the one your server is currently serving. If you replace the leaf but leave the old intermediate in place - or install no intermediate at all - the links no longer connect, and clients see an incomplete or mismatched chain even though your brand-new leaf is perfectly valid.
A renewal that keeps the chain intact follows a short, disciplined checklist:
- Renew well before expiry. Leave enough margin that a mistake can be caught and corrected before visitors ever see a warning. Automated issuance is ideal precisely because it removes the manual deadline pressure.
- Install the new leaf and its matching intermediates together. Treat them as a set. Update the full-chain bundle so the new leaf sits above the intermediate the CA shipped with this renewal, not above whatever intermediate happened to be there before.
- Reload, do not just replace files. Most servers keep the old certificate in memory until they are reloaded or restarted, so the new chain will not go live until you tell the server to pick it up.
- Verify the live chain after the change. A renewal is not finished when the files are in place; it is finished when an external check confirms the server is presenting a complete, correctly ordered chain that validates to a trusted root.
Automating issuance and renewal removes most of this risk, because the tooling installs the leaf and the current intermediates together every time. Whether you renew by hand or on a schedule, finish by confirming the result with our SSL Certificate Checker, which reports the new expiry date and the chain the server is actually serving so you know the renewal landed cleanly.
How to inspect a real certificate chain
You do not have to take a chain on faith - you can read it directly. There are three practical ways to look at what a site is presenting:
- In a browser. Click the padlock in the address bar, open the certificate details, and look for the certification path or hierarchy view. It lists the leaf at the bottom, each intermediate above it, and the root at the top, so you can walk the chain link by link. Remember that a browser may have completed a missing intermediate with AIA fetching, so a clean view here does not guarantee strict clients agree.
- From the command line. A TLS client can connect to a host on port 443 and print every certificate the server returned, in the order it sent them. This is the most faithful view of what the server is genuinely handing out, because nothing fetches a missing intermediate on your behalf - if the intermediate is absent, you will see that it is absent.
- With an online chain checker. The quickest option is a service that connects for you, lists each certificate in the chain, verifies it reaches a trusted root, and explicitly warns when an intermediate is missing or out of order.
For a single domain, our SSL Analyzer shows the full chain the server presents and highlights gaps, while the SSL Certificate Checker focuses on validity, expiry and the issuing chain. If you want certificate health checked as part of a wider picture - alongside DNS, mail and other signals for the whole domain - run a Domain Health Report, which folds the certificate chain into an at-a-glance audit of the domain.
Related tools & reading
- SSL Analyzer - inspect the full certificate chain a site presents and spot a missing or out-of-order intermediate.
- SSL Certificate Checker - check a certificate's validity, expiry date and issuing chain.
- Domain Health Report - audit certificate, DNS and mail health for an entire domain in one report.
- Back to the Learning Center
Frequently asked questions
What is an SSL certificate chain?
An SSL certificate chain is the ordered list of certificates that links the certificate on your website (the leaf or server certificate) back to a root certificate that browsers and operating systems already trust. Because browsers do not trust your individual website certificate directly, each certificate in the chain is signed by the one above it: the root signs an intermediate, and the intermediate signs your leaf. A client follows this chain link by link until it reaches a trusted root, which is how it decides your certificate is genuine.
What is the difference between a root, intermediate and leaf certificate?
The root certificate belongs to the Certificate Authority and is self-signed; copies of it ship inside browser and operating-system trust stores. The intermediate certificate is signed by the root and is what actually signs customer certificates, so the precious root key can stay offline. The leaf certificate, also called the server or end-entity certificate, is the one issued for your specific domain and the one your web server presents to visitors. The leaf trusts the intermediate, and the intermediate trusts the root.
Why do I get an incomplete certificate chain error?
An incomplete chain error means your server is presenting its leaf certificate but not the intermediate certificate that links it to a trusted root. Some clients, notably desktop Chrome, can quietly fetch the missing intermediate using the Authority Information Access extension and so the site looks fine, while stricter clients such as many mobile apps, command-line tools, older Java stacks and some payment gateways do not, and they report the certificate as untrusted. The fix is to install the full chain (your leaf plus the intermediate) on the server, not just the leaf on its own.
Does the server need to send the root certificate?
No. The server should send its leaf certificate and any intermediate certificates, but not the root. The root certificate is already present in the client trust store, so sending it adds bytes to the handshake without adding trust, and a client will not trust a root simply because a server offered it. The correct bundle to install is the leaf followed by the intermediates, ordered from leaf upward, which is exactly what a fullchain file contains.
How do I renew an SSL certificate without breaking the chain?
When you renew, reissue or rotate a certificate, your Certificate Authority may sign it with a different or newer intermediate than before. The most common renewal mistake is installing only the new leaf certificate while leaving the old intermediate, or no intermediate, in place, which produces an incomplete or mismatched chain. Always install the new leaf together with the matching intermediates supplied with the renewal, reload the web server, and then verify the live chain before considering the renewal complete.
How can I inspect the certificate chain of a website?
You can inspect a chain from the server side or the client side. In a browser, click the padlock and open the certificate viewer to walk from the leaf up to the root. From the command line, a TLS client can print every certificate the server sends so you can confirm the intermediate is included. The fastest way is an online checker that connects to your site, lists each certificate in the chain, and flags a missing intermediate or an ordering problem for you.