SSL Certificate Chain Checker
Visualize the full certificate trust chain for any domain. Identify missing intermediates, expiry issues, and chain configuration problems.
What Is a Certificate Chain?
SSL/TLS uses a chain of trust. Your domain's certificate (the leaf) is signed by an Intermediate CA, which is signed by a Root CA that browsers trust by default. For HTTPS to work, your server must present the complete chain.
The most common SSL error — outside of expired certs — is a missing intermediate certificate. Your server sends the leaf cert but not the intermediate, causing errors in some clients even though it might work in Chrome (which fetches missing intermediates via AIA).
Common Certificate Chain Issues
- Missing intermediate — install the full chain in your web server config
- Expired certificate — renew immediately; Let's Encrypt auto-renews every 90 days
- Wrong domain — cert's CN/SANs don't match the hostname
- Self-signed — not trusted by browsers; use Let's Encrypt or a CA
- Revoked certificate — must be reissued from your CA
- Wrong order — chain certs must be in correct order (leaf → intermediates → root)
Frequently Asked Questions
The chain links your domain's cert back to a trusted root CA via intermediate certificates. Root → Intermediate → Leaf (your domain). Your server must present the leaf plus all intermediates for clients to verify trust.
When your server only sends the leaf cert without the intermediate CA cert. Chrome often works anyway (it fetches missing certs via AIA), but curl, older browsers, iOS, and APIs will show SSL errors.
Download the intermediate cert from your CA and include it in your server config. In nginx: use ssl_certificate with a "bundle" file containing leaf + intermediate. In Apache: use SSLCertificateChainFile.
Possible reasons: expired, missing intermediate, wrong domain name (CN/SAN mismatch), self-signed, or revoked. Use this tool to diagnose which issue applies.