CQwerty

Blog

SSL Certificate Chains Explained: Why Your HTTPS Might Be Broken

← Back to blog
2026-04-17·5 min readSSLCertificates

What is a certificate chain?

An SSL certificate chain is the sequence of certificates that links your server's certificate to a trusted root certificate authority (CA). Browsers only trust a fixed set of root CAs. Your certificate must chain back to one of them.

The chain typically has three levels:

  • Root certificate - pre-installed in browsers and operating systems
  • Intermediate certificate - issued by the root CA, signs your certificate
  • Leaf certificate - your server's certificate, issued by the intermediate

    • Why chains break

    The most common SSL error is an incomplete chain. Your server sends its own certificate but forgets to include the intermediate certificate. The browser cannot build the path to a trusted root, so it shows a security warning.

    This often goes undetected because some browsers cache intermediate certificates from previous visits. Chrome might work fine while Firefox shows an error.

    How to check your chain

    Method 1: Use a chain checker tool

    The fastest way is to use CQwerty Shield's Certificate Chain Checker. It connects to your server, downloads the chain, and identifies any missing or misordered certificates.

    Method 2: OpenSSL command line

    openssl s_client -connect example.com:443 -showcerts

    This displays every certificate the server sends. You should see your leaf certificate and at least one intermediate.

    Fixing an incomplete chain

    Step 1: Download the intermediate certificate

    Get the intermediate certificate from your CA's documentation. Let's Encrypt, DigiCert, Sectigo, and others publish their intermediate certificates.

    Step 2: Bundle the certificates

    Concatenate your leaf certificate and intermediate certificate(s) into a single file:

    cat your-cert.pem intermediate.pem > fullchain.pem

    Step 3: Configure your server

    Point your web server to the full chain file instead of the leaf certificate alone.

    Nginx:

    ssl_certificate /path/to/fullchain.pem;

    Apache:

    SSLCertificateFile /path/to/your-cert.pem
SSLCertificateChainFile /path/to/intermediate.pem

    Common chain problems

  • Missing intermediate - server only sends the leaf certificate
  • Wrong order - certificates are sent in the wrong sequence
  • Expired intermediate - the intermediate certificate has expired
  • Cross-signed confusion - multiple valid chains exist and the server sends the wrong one
  • Self-signed root included - sending the root wastes bandwidth (browsers already have it)

    • Key takeaways

  • Your server must send the full chain, not just the leaf certificate
  • Test in multiple browsers because some cache intermediates
  • Let's Encrypt's certbot handles chains automatically
  • Check your chain after every certificate renewal

    • Check your certificate chain now

    ShareTwitterLinkedInEmailRSS

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Check your chain