S
SSL Certificate Expiry

SSL Certificate Chain Explained

How SSL certificate chains work: root CAs, intermediate certificates, and leaf certificates. Why chain errors break your site and how to fix them.

When your browser connects to a website over HTTPS, it doesn't just check one certificate. It checks a whole chain of them. If any link in that chain is broken, missing, or expired, the connection fails. Understanding how certificate chains work is the key to diagnosing some of the most frustrating SSL errors you'll encounter.

The Chain of Trust

SSL certificates work on a trust hierarchy. Think of it as a vouching system with three levels:

Root Certificate Authority (Root CA) sits at the top. These are organizations like DigiCert, Let's Encrypt (ISRG), Sectigo, and GlobalSign. Their root certificates are pre-installed in every major operating system and browser. Your computer inherently trusts them because the OS or browser vendor decided they're trustworthy. There are roughly 150 root CAs trusted by major browsers.

Intermediate Certificate Authority (Intermediate CA) sits in the middle. Root CAs don't sign your certificate directly. Instead, they sign intermediate certificates, and those intermediates sign your certificate. There can be one or more intermediates in the chain.

Leaf Certificate (End-Entity Certificate) is your certificate -- the one issued for your domain name. It sits at the bottom of the chain.

The chain works like this:

Root CA (pre-trusted by browsers/OS)
  └── Intermediate CA (signed by Root CA)
        └── Your Certificate (signed by Intermediate CA)

When a browser connects to your site, it needs to walk this chain from your leaf certificate all the way up to a trusted root. Every link must be valid, unexpired, and properly signed.

Why Intermediate Certificates Exist

You might wonder: why not just have the root CA sign certificates directly? The answer is security.

Root CA private keys are extraordinarily valuable. If a root CA key is compromised, every certificate it ever signed becomes untrustworthy. That would mean revoking potentially millions of certificates.

To protect against this, root CAs keep their private keys in offline, air-gapped hardware security modules (HSMs). They rarely use them. Instead, they sign a handful of intermediate certificates, and those intermediates handle the day-to-day work of issuing certificates.

If an intermediate key is compromised, only that intermediate needs to be revoked. The root CA can issue a new intermediate, and the damage is contained. It's the same principle as not carrying your entire life savings in your wallet -- you use a debit card linked to a checking account instead.

Multiple levels of intermediates

Some chains have two or even three intermediate certificates. This is normal. Let's Encrypt, for example, uses a chain where the ISRG Root X1 signs an intermediate (R3 or R10/R11), which signs your leaf certificate. Cross-signing can add additional intermediates.

How Browsers Validate the Chain

When your browser connects to an HTTPS site, the server sends its leaf certificate along with any intermediate certificates. The browser then:

  1. Checks the leaf certificate -- Is it valid for this domain? Is it within its validity period? Has it been revoked?
  2. Finds the issuer -- Looks at the "Issuer" field in the leaf certificate and matches it to an intermediate.
  3. Validates the intermediate -- Checks its signature against the next certificate up the chain.
  4. Repeats until it reaches a root CA that's in the browser's trust store.
  5. Confirms the root -- If the chain terminates at a trusted root, the connection is valid.

This whole process happens in milliseconds. But if any step fails, the browser shows an error.

Common Chain Problems

Here's where things go wrong in practice, and they go wrong more often than you'd expect.

Missing Intermediate Certificate

This is the single most common chain error. Your server sends the leaf certificate but forgets to include the intermediate. Some browsers (Chrome, particularly) will try to fetch the missing intermediate on their own using a mechanism called Authority Information Access (AIA). Firefox does not do this -- it strictly requires the server to provide the full chain.

The result: your site works fine in Chrome but breaks in Firefox. Or it works on desktops but fails on older Android devices. This inconsistency makes the problem hard to diagnose because it seems intermittent.

Wrong Certificate Order

The certificates in the chain must be sent in order: leaf first, then intermediate(s), with each certificate's issuer matching the next certificate in the sequence. Some web servers are strict about this; others are forgiving. Getting the order wrong can cause validation failures on certain clients.

Expired Intermediate Certificate

Your leaf certificate might be perfectly valid, but if the intermediate that signed it has expired, the entire chain is broken. This is particularly tricky because you didn't do anything wrong -- the CA's intermediate expired, and it breaks your site.

You can't fix an expired intermediate yourself

If an intermediate certificate expires, only the CA can fix it by issuing a new intermediate. You then need to update the chain on your server with the new intermediate. Monitor your full chain, not just your leaf certificate.

Cross-Signing Confusion

Let's Encrypt's ISRG Root X1 was cross-signed by IdenTrust's DST Root CA X3 to gain trust on older devices. When DST Root CA X3 expired in September 2021, it caused widespread issues on older Android devices and some IoT hardware. Cross-signing creates multiple possible chain paths, and some clients follow the wrong one.

Monitor your full certificate chain

SSL Certificate Expiry checks not just your leaf certificate but the entire chain for issues.

How to Check Your Certificate Chain

Using OpenSSL

The fastest way to inspect a chain from the command line:

openssl s_client -connect yourdomain.com:443 -showcerts

This displays every certificate the server sends. Look for a sequence of BEGIN CERTIFICATE / END CERTIFICATE blocks. You should see your leaf certificate first, followed by one or more intermediates. Check the issuer and subject fields to verify each certificate links to the next.

To check expiry dates of each certificate in the chain:

openssl s_client -connect yourdomain.com:443 -showcerts 2>/dev/null | \
  openssl x509 -noout -dates

Using SSL Labs

Qualys SSL Labs (ssllabs.com/ssltest) provides a thorough chain analysis. It will explicitly tell you if intermediates are missing, in the wrong order, or have issues. It also shows which root CA terminates the chain and flags any trust issues across different platforms.

Using Browser Developer Tools

In Chrome, click the padlock icon, then "Connection is secure," then "Certificate is valid." The "Certification Path" tab shows the complete chain from your leaf certificate up to the root CA. Each level shows its validity status.

How to Fix Chain Issues

Most chain problems come down to one thing: your server isn't sending the right certificates in the right order. Here's how to fix it.

1

Get the correct intermediate certificates

Download them from your CA's documentation. Don't guess -- every CA publishes their intermediate certificates. Let's Encrypt lists theirs at letsencrypt.org/certificates. DigiCert, Sectigo, and others have similar pages.

2

Concatenate certificates in the correct order

Create a single file with your leaf certificate first, followed by the intermediate(s). The root certificate should NOT be included -- browsers already have it.

-----BEGIN CERTIFICATE-----
(Your leaf certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
3

Configure your web server

In Nginx, use the ssl_certificate directive pointing to the concatenated file. In Apache, use SSLCertificateFile for the leaf and SSLCertificateChainFile for the intermediates (or combine them). Restart your web server after changes.

4

Verify the fix

Test with SSL Labs or OpenSSL. Check in multiple browsers, especially Firefox, which is the strictest about chain validation. Test on a mobile device too.

Chain Monitoring Matters

Certificate chains aren't a set-and-forget configuration. Intermediates expire. CAs rotate their intermediates. Cross-signing relationships change. A chain that's valid today might break in six months when a CA swaps out an intermediate.

Monitoring your full certificate chain -- not just the leaf certificate's expiry date -- catches these problems before your users do. An automated check that validates the entire chain against multiple trust stores gives you early warning when something changes upstream.

Related Articles

A certificate is only as strong as the chain behind it. One missing intermediate and the whole thing falls apart.

Never miss an SSL certificate expiry

Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.