What is an SSL Certificate Chain? Root, Intermediate, & Leaf Certs Explained
An SSL certificate error is still one of the most common reasons for browser security warnings, even on sites that seem appropriately configured. In many cases, the server has a valid certificate, but it isn't trusted by the browser. Why? A broken SSL certificate chain.
In this post, we will explain how an SSL certificate chain works, what happens if your chain is incomplete, and how to correctly set it up on Apache, NGINX, and IIS.
What is an SSL Certificate Chain?
A chain of trust—an SSL certificate chain (or “chain” for short)—is an ordered list of certificates that allow a browser to determine whether it should trust a website. Whenever a client connects to a secure site, it must be possible to trace trust backwards through the following:
- The site's certificate (Leaf Certificate)
- Via one or more intermediate certificates
- To a trusted root certificate
If this path is broken, browsers won't "trust" the connection, leading to security warnings.
1. Root Certificate (Trust Anchor)
A Root Certificate is the foundation of trust. It comes from a reputed Certificate Authority (CA) and is pre-installed in browsers and operating system trust stores. Examples include DigiCert, Sectigo, GlobalSign, and Let’s Encrypt.
2. Intermediate Certificate (Trust Bridge)
This certificate provides a trusted link between the root (which is often kept offline for safety) and the server certificate for your site. Most websites fail SSL validation because the intermediate cert is missing or misconfigured.
3. Leaf Certificate (End-Entity Certificate)
This is the certificate issued specifically to your domain (e.g., www.example.com).
It contains your domain name, public key, and validity period.
Why Browsers Fail When Intermediates Are Missing
If a server sends only the leaf certificate with no intermediates, the browser may not be able to find the path back to the trusted root. While some desktop browsers try to fetch missing intermediates automatically, many mobile devices and older systems will simply fail the connection.
Common errors include:
Certificate chain incompleteCannot verify the first certificateSSL handshake failed
Remember: It is always the server's responsibility to send the full certificate chain.
How to Install a Complete Chain
Apache (httpd)
Request your certificates from the CA, ensuring you have the server certificate and the CA Bundle (Intermediate bundle).
SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/private.key SSLCertificateChainFile /path/to/intermediate.pem
Then restart Apache: systemctl restart httpd
NGINX
For NGINX, you must combine your certificate and the intermediate certificate into a single file.
cat domain.crt intermediate.crt > fullchain.pem
Update your configuration:
ssl_certificate /path/to/fullchain.pem; ssl_certificate_key /path/to/private.key;
Test and reload: nginx -t && systemctl reload nginx
IIS (Windows Server)
Import the server certificate into the "Personal" store and the intermediate certificates into the "Intermediate Certification Authorities" store using the MMC console. Ensure the certificate is correctly bound to port 443 in IIS Manager.
Verifying Your SSL Chain
To ensure your chain is complete, you should check for:
- ✔ Chain completeness (no missing links)
- ✔ Correct order (Leaf → Intermediate → Root)
- ✔ No expired intermediate certificates
- ✔ Trusted root authority
Conclusion
Understand how SSL certificate chains function to keep your site safe and trusted. Most SSL errors stem not from invalid certificates but from misconfigured chains. Properly install your intermediate certificates and validate your setup to ensure end-to-end trust across all browsers and devices.
Check Your Certificate Chain
Use our free SSL Checker to validate your full certificate chain and identify any missing intermediates.
Verify SSL Chain Now