NetDigLearnSSL
SSL7 min read

How to Fix a Missing Intermediate Certificate

The most common SSL configuration error: your server sends the domain certificate but not the intermediate CA cert. Chrome hides this bug — curl, mobile apps, and APIs won't.

What Is a Missing Intermediate Certificate?

SSL/TLS certificates use a chain of trust. Your domain's certificate (the leaf) is signed by an Intermediate Certificate Authority (CA), which is signed by a Root CA. Browsers only trust Root CAs by default, so your server must send both the leaf certificate and the intermediate certificate for clients to verify the chain.

When you install an SSL certificate, you need to configure your web server with a "bundle" file or "chain file" that includes both your certificate and the intermediate cert. If you only install the domain certificate and forget the intermediate, the chain is broken.

Why Chrome Doesn't Show the Error

Modern Chrome can fetch missing intermediate certificates using the Authority Information Access (AIA) extension in the certificate. If your cert's AIA field points to the intermediate cert's download URL (most do), Chrome will fetch it automatically and the connection succeeds.

This masks the problem. Your site "works" in Chrome but fails in: older browsers, Firefox (stricter), Safari on some iOS versions, curl, wget, API clients, and Java applications. These don't perform AIA fetching.

Check your chain: NetDig's SSL Chain Visualizer shows the full certificate chain and flags missing intermediates — check any domain in seconds.

How to Fix It in nginx

In nginx, the ssl_certificate directive should point to a file containing your certificate followed by the intermediate certificate(s). Concatenate them:

# Create the bundle
cat yourdomain.crt intermediate.crt > bundle.crt

# nginx config
ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/yourdomain.key;

The order matters: your certificate must come first, then the intermediate(s), then optionally the root (though root is usually omitted).

How to Fix It in Apache

SSLCertificateFile /etc/ssl/yourdomain.crt
SSLCertificateKeyFile /etc/ssl/yourdomain.key
SSLCertificateChainFile /etc/ssl/intermediate.crt

In Apache 2.4.8+, you can also use a bundle file with SSLCertificateFile — just include both certs in the same file.

How to Fix It with Let's Encrypt / Certbot

Certbot creates several certificate files. Always use fullchain.pem (not cert.pem) — it contains both the leaf and intermediate certificates. In nginx:

ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

How to Get the Intermediate Certificate

Download it from your CA's website. For Let's Encrypt, it's included in fullchain.pem. For commercial CAs (DigiCert, Sectigo, GlobalSign), check your certificate issuance email or your CA's "intermediate certificate" download page.

You can also extract it programmatically:

openssl s_client -showcerts -connect yourdomain.com:443 < /dev/null 2>/dev/null |   openssl x509 -outform PEM > chain.pem

Use the SSL Chain Visualizer — it clearly shows whether the intermediate is present. Or run: openssl s_client -connect yourdomain.com:443 and check the 'Certificate chain' section. It should show 2-3 certs.

Not directly for Chrome users since Chrome hides the problem. But it breaks connections from curl, API clients, and some mobile apps, which affects reliability more than SEO.

No. Root certificates are pre-installed in browsers and OS trust stores. Only include your leaf and intermediate certificates.