What Is an SSL Certificate Chain? (Chain of Trust)

Jul 13, 2026
Updated Jul 13, 2026 SSL & TLS ssl certificate chain certificate chain chain of trust intermediate certificate

An SSL certificate chain (or chain of trust) is the ordered list of certificates that links the certificate on your website back to a trusted root certificate authority. A browser trusts your site's certificate not on its own, but because it can follow this chain — leaf → intermediate → root — up to a root it already trusts. If any link is missing, the connection fails even when the certificate itself is perfectly valid.

What is an SSL certificate chain?

Public certificates follow the X.509 standard (RFC 5280). A certificate authority (CA) does not sign your certificate with its precious root key directly. Instead it uses an intermediate certificate, which is itself signed by the root. That creates a chain: each certificate is signed by the one above it, and the root sits in the browser or operating system's trust store.

The three links in the chain

CertificateRole
Leaf (server) certificateThe certificate issued for your domain, e.g. example.com. This is the one your server presents.
Intermediate certificateSigns the leaf and is signed by the root. There may be more than one. Your server must send these alongside the leaf.
Root certificateThe CA's self-signed anchor of trust. It lives in the client's trust store and is never sent by your server.

The golden rule: your server sends the leaf plus all intermediates, but not the root. The client already has the root; it just needs the intermediates to connect the two.

Why an incomplete chain breaks things

If your server omits an intermediate certificate, a client that does not happen to cache that intermediate cannot build a path to a trusted root. The result is errors like unable to get local issuer certificate or incomplete certificate chain. Confusingly, this often works in one browser (which cached the intermediate earlier) and fails in another, or fails only for API clients and mobile apps — a classic sign of a missing intermediate.

How to check your SSL certificate chain

# show every certificate the server sends
openssl s_client -connect example.com:443 -showcerts

# just verify the chain
openssl s_client -connect example.com:443 -verify_return_error

For a readable breakdown of the chain, expiry, and configuration without the command line, run your domain through the free SSL certificate checker. It flags a missing intermediate directly.

How to fix a broken chain

  • Install the full bundle. Your CA provides a "full chain" or "bundle" file that includes the intermediates. Configure your server to serve that, not just the leaf certificate.
  • Order matters. The chain file should list the leaf first, then each intermediate in order toward the root.
  • Let's Encrypt users: use fullchain.pem, not cert.pem — the former already contains the intermediates.

Related SSL guides

A broken chain is one of several reasons a certificate is rejected — see invalid SSL certificate causes. To keep chains valid over time, read about SSL certificate monitoring, and when a certificate nears expiry, renew it.

Frequently asked questions

Should my server send the root certificate?

No. The root already lives in the client's trust store. Sending it wastes bytes and does nothing for trust — send only the leaf and intermediates.

Why does my certificate work in Chrome but fail elsewhere?

Usually a missing intermediate. Chrome may have cached the intermediate from another site, so it builds the chain anyway, while a stricter client or a fresh device cannot.

What is an intermediate certificate?

A certificate that sits between your leaf certificate and the CA root. It is signed by the root and used to sign your certificate, keeping the root key offline and safe.

Scan for these vulnerabilities

Secably automatically detects the issues discussed in this article.

Start Free Scan