Login
Menu

SSL Certificate Chain Explained: The Chain of Trust, and Why Yours Might Be Broken

A certificate is not trusted because it claims to be. It is trusted because it can be traced, link by link, back to a party the client already trusts. That traceable path is the SSL certificate chain, and understanding it precisely is the difference between an SSL setup that works everywhere and one that works in your browser but throws “certificate not trusted” errors on a customer’s phone.

Here is the part most tutorials gloss over: a perfectly valid, correctly issued certificate can still fail to verify. Not because the certificate is wrong, but because the chain is incomplete. The single most common cause of a trust error on an otherwise-valid certificate is a server that sends its own certificate and forgets the intermediate that signed it. Let’s build the model carefully, because once the mechanism is clear, the failure mode and its fix become obvious.

Key Takeaways
• The certificate chain (or chain of trust) is the ordered sequence of certificates that links your site’s certificate up to a trusted root certificate authority (CA).
• It has three roles: a root (the trust anchor, self-signed, pre-installed in client trust stores), one or more intermediates (signed by the root, used to sign end-entity certificates), and your leaf certificate (the end-entity cert for your domain).
• A client establishes trust by walking from your leaf to an intermediate to a root it already trusts. Every link must be signed by the link above it.
• The #1 failure mode is an incomplete chain: the server sends the leaf but omits the intermediate(s). Browsers often quietly recover; many mobile apps, older clients, and API clients do not.
• The fix is to serve the full chain (`fullchain.pem`: leaf + intermediates, but not the root) and verify it with `openssl s_client -showcerts`.

What is an SSL certificate chain?

An SSL certificate chain is the ordered list of certificates a client uses to verify that your site’s certificate ultimately descends from a certificate authority it already trusts. Think of it as a notarized paper trail. Your certificate vouches for your domain, an intermediate vouches for your certificate, and a root vouches for the intermediate. The client only inherently trusts the root; everything else has to be proven by following the signatures upward.

The reason a chain exists at all, rather than a CA simply signing your certificate directly with its root, is operational security. The root’s private key is the crown jewel of the entire public key infrastructure. If it leaks, every certificate it ever signed is compromised. So CAs keep the root key offline, often in an air-gapped hardware security module, and use it only rarely to sign intermediates. The intermediates do the day-to-day work of signing customer certificates. This is why your chain almost always has at least one intermediate in the middle: it is the deliberate buffer between the irreplaceable root and the millions of certificates issued each day.

The three components of the chain

Each link in the chain plays a distinct role. Confusing them is where most troubleshooting goes wrong, so here is the precise breakdown.

Component Also called Signed by Where it lives Sent by your server?
Root certificate Trust anchor, root CA Itself (self-signed) Pre-installed in browser / OS trust stores No — clients already have it
Intermediate certificate(s) Issuing CA, subordinate CA The root (or a higher intermediate) Issued to you alongside your cert Yes — must be served
Leaf certificate End-entity cert, your SSL cert An intermediate On your server, bound to your domain Yes — always served

The root certificate is self-signed. That sounds suspicious until you realize it has to be: it is the top of the tree, so there is nothing above it to sign it. Its trustworthiness comes not from a signature but from the fact that it is pre-distributed into the trust stores shipped with operating systems and browsers. You trust it because your device’s vendor decided to include it after auditing the CA.

The intermediate certificate is the working signer. It is signed by the root, and it in turn signs your leaf. A chain can contain more than one intermediate; the principle is identical at each step, with each certificate signed by the one above it.

The leaf certificate (also called the end-entity certificate) is your actual SSL certificate, the one carrying your domain name in its subject and Subject Alternative Names. It is signed by an intermediate and sits at the bottom of the chain. It cannot sign other certificates; it is the end of the line.

How does the chain actually get validated?

When a client connects over HTTPS, the server presents its certificate and, ideally, the intermediates. The client then performs path validation, which is a deliberate walk up the chain:

  1. The client looks at your leaf certificate and reads its issuer field, which names the intermediate that signed it.
  2. It verifies the leaf’s signature using the intermediate’s public key. If the signature checks out, the leaf is authentic and unmodified.
  3. It then looks at the intermediate’s issuer field, which names the root, and verifies the intermediate’s signature using the root’s public key.
  4. Finally, it checks whether that root is present in its local trust store. If the root is trusted and every signature along the way verified, the chain is complete and trust is established.

Crucially, the validation also confirms each certificate is within its validity period, has not been revoked, and that intermediates carry the basic-constraints flag marking them as CAs permitted to sign. But the structural heart of it is the signature walk: leaf signed by intermediate, intermediate signed by root, root already trusted.

Here is the insight that resolves the majority of real-world SSL trust failures: the most common “certificate not trusted” error on an otherwise-valid certificate is an incomplete chain. The server sends only the leaf and omits the intermediate. Desktop browsers frequently paper over this, because they can fetch the missing intermediate themselves using the Authority Information Access (AIA) URL embedded in the leaf, or they cache intermediates seen previously. This is why “it works on my laptop” is a dangerously misleading test. Many clients do not do AIA fetching: a large share of mobile app HTTP stacks, older Android versions, Java and .NET API clients, IoT devices, and command-line tools like older `curl` and `wget` builds. To those clients, a leaf with no intermediate is an orphan with no provable path to a root, and they reject it outright. The certificate is valid. The chain delivery is broken. Always serve the full chain and never rely on the client to repair your configuration for you.

Why the root is never sent

A subtle but important point: your server should send the leaf and the intermediate(s), but it should not send the root. The client already has the root in its trust store; sending it again is redundant. Worse, sending the root accomplishes nothing security-wise, because trust comes from the client’s own copy of the root, not from whatever your server claims. Including it just wastes a few bytes in the handshake. This is exactly why the conventional bundle is called `fullchain.pem` and contains leaf + intermediates only, stopping deliberately short of the root.

What does an incomplete chain look like, and how do I diagnose it?

The symptom is maddeningly inconsistent: the site loads cleanly in Chrome on your desktop, then a user reports a security warning from their banking app’s webview, or your monitoring API call fails with `x509: certificate signed by unknown authority`. That inconsistency is the signature of an incomplete chain, because it depends entirely on whether the failing client does AIA fetching.

The authoritative way to see exactly what your server is sending is `openssl`. This command opens a TLS connection and prints every certificate the server transmits:

“`bash openssl s_client -connect example.com:443 -servername example.com -showcerts “`

The `-showcerts` flag is the important one: it dumps the full list of certificates received. Read the output top to bottom. You should see a `Certificate chain` section listing your leaf first (subject = your domain), then each intermediate, with each entry’s issuer matching the subject of the next. A correctly served chain looks like this in the summary:

“` Certificate chain 0 s:CN = example.com i:C = US, O = Example CA, CN = Example CA Intermediate G2 1 s:C = US, O = Example CA, CN = Example CA Intermediate G2 i:C = US, O = Example CA, CN = Example CA Root “`

Note how entry `0` (your leaf) is *issued by* the intermediate at entry `1`, and entry `1` is issued by the root. The chain is contiguous. If you instead see only entry `0` and nothing below it, your server is sending the leaf alone — that is the incomplete chain, exposed.

The other line to read is the verification result near the end of the output:

“` Verify return code: 0 (ok) “`

A `0 (ok)` means the chain validated against your local trust store. If you see something like `21 (unable to verify the first certificate)` or `20 (unable to get local issuer certificate)`, that is `openssl` telling you it could not build a path to a trusted root, almost always because an intermediate is missing from what the server sent.

For a quick reproducible check that does not depend on a cached desktop trust store, you can pull the chain non-interactively:

“`bash echo | openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null | openssl crl2pkcs7 -nocrl -certs /dev/stdin | openssl pkcs7 -print_certs -noout “`

This lists the subject and issuer of every certificate in the order your server delivered them, which makes a gap immediately visible.

How do I fix a broken or incomplete chain?

The fix is conceptually simple: configure your server to present the leaf and every intermediate up to (but not including) the root. The mechanics depend on your stack.

  • The combined-file approach. Most CAs provide your certificate and a separate “CA bundle” or “intermediate bundle” file. Concatenate them, leaf first, then intermediates, into a single `fullchain.pem`. Order matters: the leaf must come first, followed by each intermediate in ascending order toward the root.
  • Nginx expects a single file holding the full chain. Point `ssl_certificate` at `fullchain.pem` (not at the bare leaf), and `ssl_certificate_key` at your private key.
  • Apache historically used a separate `SSLCertificateChainFile` directive, but modern versions accept the intermediates appended to the file given in `SSLCertificateFile`. Append the intermediate(s) to your leaf and reload.
  • Automated issuers that integrate with ACME typically write a `fullchain.pem` for exactly this reason. Always point your server config at the *fullchain* file the tool produces, not at the standalone `cert.pem`.

After any change, re-run the `openssl s_client -showcerts` check above and confirm two things: the chain section now lists your intermediate(s) below the leaf, and the verify return code is `0`. Do not declare victory based on a desktop browser; it may be hiding the problem with AIA fetching. The `openssl` verify result is the honest answer.

Skip the chain headaches with DarazHost

If wrangling `fullchain.pem` files and reading `openssl` output is not how you want to spend your week, this is precisely the kind of thing managed hosting is for. DarazHost provisions complete, correct certificate chains automatically: every site gets free AutoSSL with the full chain installed — leaf plus the required intermediate(s), never the root — so every client, from desktop browsers to mobile apps to API consumers, can validate a clean path to a trusted CA without chain errors. There is nothing for you to concatenate and nothing to forget.

For teams who manage certificates themselves, DarazHost’s Linux and Windows SSD VPS plans give you full root access to install custom certificates, bundles, and server configurations exactly the way you want them, on infrastructure backed by 99.9% uptime and high-speed SSD storage. And if a chain issue ever does surface, 24/7 technical support can read the `s_client` output with you and get the intermediates serving correctly. On-brand SSL handling, global reach, and a support team that actually understands path validation. and .

Frequently asked questions

What is the difference between a certificate chain and a certificate bundle? They describe the same set of certificates from different angles. The chain is the logical trust relationship — leaf signed by intermediate, intermediate signed by root. The bundle (often `fullchain.pem` or a “CA bundle” file) is the physical file in which those certificates are stored together so your server can present them. A correct bundle contains the leaf and intermediate(s) in chain order.

Why does my site work in Chrome but fail on mobile or in API calls? Almost certainly an incomplete chain. Desktop browsers can fetch a missing intermediate on the fly using the AIA extension or a cached copy, masking the misconfiguration. Many mobile app HTTP stacks, older clients, and programmatic API clients do not, so they reject the orphaned leaf. Serve the full chain to fix it for everyone.

Should I include the root certificate in my server’s chain file? No. Clients already have the root in their trust store, and trust derives from that local copy, not from anything your server sends. Including the root adds bytes to the handshake without improving security. Serve leaf + intermediate(s) only — that is what `fullchain.pem` contains.

How do I check my certificate chain from the command line? Run `openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts`. Read the `Certificate chain` section to confirm your intermediate(s) appear below the leaf with matching issuer/subject links, and confirm the `Verify return code: 0 (ok)` line. A non-zero verify code usually means a missing intermediate.

Can an expired intermediate break my otherwise-valid certificate? Yes. Path validation requires every certificate in the chain to be within its validity period, not just your leaf. If an intermediate expires (or is revoked), the chain can no longer validate even though your leaf is perfectly current. This is one reason CAs roll intermediates and why keeping your served bundle up to date matters.

About the Author
Tobias Reinhardt

Leave a Reply