What is the SSL certificate chain in simple terms?

When a browser connects to your website over HTTPS, it needs to verify that your SSL certificate was issued by a trusted authority. It does this by following a chain of certificates: your server certificate was signed by an intermediate certificate authority, which was in turn signed by a root certificate authority that the browser trusts. This sequence — server cert → intermediate CA → root CA — is the certificate chain. A complete, valid chain is required for browsers to show the padlock and accept the connection without a warning.

Why does the site work fine in Chrome but Android apps or curl get a certificate error?

Desktop Chrome performs 'AIA chasing': if an intermediate certificate is missing from what your server sends, Chrome reads the Authority Information Access (AIA) extension embedded in your certificate, fetches the missing intermediate from the URL listed there, and completes the chain automatically. Android's WebView, iOS WebKit, curl, and Java's SSL libraries do not perform AIA chasing — they only validate what your server actually sends. So a server with a missing intermediate appears to work in Chrome while failing for all strict TLS clients. Configuring your server to send the full chain (cert + intermediate) fixes all clients at once.

What files do I need to build a complete SSL certificate chain?

You need two things: your end-entity certificate (the file your CA issued for your domain, typically named yourdomain.crt or yourdomain.pem) and the intermediate CA certificate (usually provided as ca-bundle.crt, intermediate.crt, or a similarly named file by your CA). On Nginx and Apache, you concatenate them in a single file — leaf certificate first, intermediate second — and reference that combined file in your server config. On IIS, you install the intermediate separately into the Windows certificate store rather than bundling it.

How many certificates should be in a complete SSL chain?

Most commercial CA certificates result in a chain of two or three certificates: your leaf certificate plus one or two intermediate CA certificates. The root CA certificate is typically not included in what your server sends — browsers already have it in their built-in trust store. If your server is sending only one certificate (your leaf cert alone), the chain is incomplete. If it's sending four or more, it's likely including the root, which is unnecessary but harmless for most clients. Two or three certificates in the chain is the normal, correct state for a commercially issued certificate.

What is a cross-signed intermediate certificate and do I need it?

A cross-signed intermediate is an intermediate CA certificate that has been signed by two different root CAs. This allows the same intermediate to be trusted by two separate root trust stores, extending compatibility to older systems that may not have the newer root. For example, some Let's Encrypt and Sectigo certificates come with cross-signed intermediates for backward compatibility with Android 2.3–4.x and older Java runtimes. When your CA provides a 'ca-bundle' file with multiple intermediates, include all of them in your chain file — the order is leaf cert first, then intermediates from most-specific to most-general. Most CA-provided fullchain.pem files already have the correct order.

Do I need to include the root CA certificate in my server's certificate chain?

No, and it is generally not recommended. Root CA certificates are pre-installed in every operating system and browser trust store, so sending the root in your TLS handshake adds unnecessary bytes without improving compatibility. More importantly, including the root does not increase security — if the root is not already in the client's trust store, no amount of sending it will make the client trust it, because root trust is established out-of-band. The correct server configuration is: leaf certificate + intermediate certificate(s) only. Never include the root in the file you reference as ssl_certificate in Nginx or SSLCertificateFile in Apache.

Will a broken certificate chain affect my SSL Labs grade?

Yes. SSL Labs (ssllabs.com/ssltest) checks the certificate chain and explicitly flags 'Chain issues: Incomplete' when intermediates are missing. An incomplete chain can lower your grade or prevent an A+ result even if all other settings are correct. SSL Labs also tests from multiple geographic locations, so it may catch chain issues that only affect certain clients or network paths. After fixing your chain configuration and restarting your server, re-run the SSL Labs test — it should show 'Chain issues: None' in the certificate section.

SSL Certificate Chain Explained

A missing intermediate certificate is the most common SSL misconfiguration. The server looks fine — your certificate is valid, not expired, and issued by a trusted CA — yet a subset of visitors still see a security warning. Android apps throw a PKIX path building failed error. Curl reports unable to verify the first certificate. Payment gateway callbacks start failing silently.

The reason is almost always the same: the server is sending only the leaf certificate instead of the complete certificate chain. This guide explains what the certificate chain is, how browsers validate it, why desktop Chrome hides the problem while mobile clients expose it, and exactly how to fix it on Nginx, Apache, and IIS.

Quick fix if you're in a hurry

If you already know what a certificate chain is and just need the fix: concatenate your leaf certificate and intermediate certificate into a single file (cat yourdomain.crt intermediate.crt > fullchain.pem), then point your server at that file. Jump to the , , or section below.

What is the SSL certificate chain?

The SSL certificate chain (also called the chain of trust) is an ordered list of certificates that links your server's identity back to a root certificate authority (CA) that browsers and operating systems already trust. Browsers don't trust your certificate by itself — they trust it because it was signed by an entity they do trust, which was in turn signed by another trusted entity, and so on up the chain.

When a browser opens an HTTPS connection, the server sends its certificate (and should send the intermediate certificates too). The browser then builds a path from the received certificates up to a root CA in its trust store. If the path is complete and every signature validates, the connection proceeds. If a certificate is missing anywhere in the chain, the browser cannot complete the path and displays a security warning.

SSL Certificate Chain Structure

Root CA Certificate

Self-signed · Pre-installed in OS/browser trust store · Never sent by the server

Intermediate CA Certificate

Signed by root CA · Sent by the server · 3–7 year validity

End-Entity (Leaf) Certificate

Signed by intermediate CA · Issued for your domain · Max 199 days validity

Arrows point from signer to signed. The browser validates the path from leaf ↑ to root.

The three layers of the chain

Root CA certificate

The trust anchor. Root CA certificates are self-signed — the CA signed its own certificate — and are distributed as part of the operating system or browser. Mozilla, Microsoft, Apple, and Google each maintain their own root trust programs that decide which CAs qualify for inclusion. Because root CA private keys are extremely sensitive (compromising a root would invalidate millions of certificates), they are stored offline in hardware security modules (HSMs), often in geographically separated facilities. Root CAs are long-lived: validity periods of 10–25 years are common. Your server should never include the root certificate in what it sends — browsers already have it.

Intermediate CA certificate

The operational workhorse. Intermediate CA certificates are signed by a root CA (or another intermediate) and are used for day-to-day certificate issuance. Because the root key is offline, the CA operates online using an intermediate key. If an intermediate is ever compromised, the CA revokes it — an action that invalidates only the certificates signed by that intermediate, not every certificate ever issued under the root. Most commercial CAs maintain multiple intermediates for different product lines (DV, OV, EV), geographic regions, or signing algorithms (RSA vs. ECC). Intermediate certificates typically have a validity period of 3–7 years. Your server must include intermediate certificate(s) in what it sends to clients.

End-entity (leaf) certificate

Your certificate. The end-entity certificate identifies your domain (or organization) and is signed by the intermediate CA. It contains your public key, the domain name(s) it's valid for (in the Subject Alternative Name extension), and its validity period. Since the CA/Browser Forum Ballot SC-081v3 took effect on March 15, 2026, the maximum validity period for publicly trusted end-entity certificates is 199 days. Your server certificate is what your web server is typically configured with via its private key — and it's the certificate that browsers display when you click the padlock icon.

Why CAs use intermediate certificates

The intermediate CA layer exists primarily for security and operational flexibility. Without it, the root CA key would need to be online to sign every certificate request — a significant risk given the value of a root key. The intermediate layer solves several problems simultaneously:

Root key isolation

The root CA private key stays offline. Certificate signing operations happen via the intermediate key. If the intermediate is compromised, the CA revokes it and rolls out a new one without touching the root. This limits the blast radius of a key compromise dramatically.

Cross-signing for backward compatibility

An intermediate can be signed by multiple root CAs. This cross-signing allows a single intermediate to be trusted by different root stores — extending compatibility to older Android devices, legacy Java runtimes, or systems that haven't updated their root store recently.

Operational segmentation

Large CAs operate separate intermediates for DV, OV, and EV certificates; for RSA vs. ECC keys; and for different geographic regions or business units. Each intermediate has its own audit trail and revocation path.

Controlled revocation

If a mis-issuance or security incident affects certificates from a specific intermediate, the CA can revoke just that intermediate's certificates — a targeted action. Revoking a root CA would be a catastrophic event affecting every certificate ever issued under it.

How browsers validate the chain (RFC 5280 path building)

Certificate path validation is specified in RFC 5280. When a browser receives a TLS certificate, it performs the following check for each certificate in the chain:

1The certificate's digital signature is verified using the public key of its issuer certificate.
2The current date is within the certificate's validity window (Not Before ≤ now ≤ Not After).
3The certificate has not been revoked (checked via CRL, OCSP, or CRLSet depending on the browser).
4The certificate is appropriate for its role: intermediate certificates must have Basic Constraints: CA:TRUE and a matching Key Usage extension.
5The chain terminates at a root CA certificate that is present in the browser's or operating system's built-in trust store.

Every step must pass for every certificate in the chain. A single failure at any level — an expired intermediate, a revoked leaf, a missing intermediate that breaks the path — terminates the validation and produces a browser security warning.

What the TLS handshake actually sends

During the TLS handshake, the server sends a Certificate messagethat contains an ordered list of certificates. RFC 5246 (TLS 1.2) and RFC 8446 (TLS 1.3) both specify that this list should begin with the sender's leaf certificate, followed by any intermediate CA certificates in ascending order toward (but not including) the trusted root. Browsers use this list as the starting point for path building.

The root is omitted because every client already has a copy in its trust store — sending it would waste bandwidth without adding any trust benefit.

AIA chasing: why Chrome works but mobile clients fail

Each X.509 certificate contains an Authority Information Access (AIA) extension that includes two key URLs:

CA Issuers: A URL where clients can download the issuer's certificate — i.e., the intermediate CA that signed this certificate.
OCSP: A URL for checking real-time revocation status (see our OCSP stapling guide for details).

Desktop Chrome and desktop Edge perform AIA chasing: if the server doesn't send an intermediate certificate, these browsers read the AIA extension in your leaf certificate, fetch the missing intermediate from the CA Issuers URL, and complete the chain automatically. This is why a misconfigured server may appear to work perfectly in Chrome while failing for every other client.

Clients that do NOT perform AIA chasing

Android WebView and Chrome on Android
Safari and WebKit on iOS / macOS
curl (default build — requires --cacert to specify a bundle)
Java SSL/TLS stack (used by Spring Boot, Tomcat, Android apps, payment SDKs)
Python's urllib / requests library
Go's crypto/tls package
OpenSSL verify and s_client with strict mode
All IoT devices, set-top boxes, and embedded HTTPS clients

These clients fail immediately if your server doesn't send the full chain. The fix is always the same: configure your server to send the complete chain.

What chain errors look like

The error message varies by client, but all of the following indicate a certificate chain problem. (For expiry, name-mismatch, and the other non-chain failures, see our guide to SSL certificate errors.)

Chrome / Edge (when AIA chasing fails or is blocked)

NET::ERR_CERT_AUTHORITY_INVALID

Chrome only shows this if it cannot complete AIA chasing — for example, if the CA Issuers URL is unreachable or the network blocks outbound HTTP.

Firefox

SEC_ERROR_UNKNOWN_ISSUER or MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

Firefox maintains its own trust store (NSS) and does not perform AIA chasing. A missing intermediate always produces a hard error.

curl

curl: (60) SSL certificate problem: unable to get local issuer certificate

curl's default behavior is to verify the full chain. 'unable to get local issuer certificate' almost always means a missing intermediate on the server side.

Java / Android apps

javax.net.ssl.SSLHandshakeException: PKIX path building failed: unable to find valid certification path to requested target

The Java PKIX path validator requires the complete chain. This is one of the most common errors in Java application logs when the server has a misconfigured chain.

OpenSSL s_client

Verify return code: 21 (unable to verify the first certificate)

Return code 21 means openssl cannot verify the issuer of the first certificate in the chain. The server sent only the leaf cert.

How to diagnose a broken chain

The fastest way to check your certificate chain is with OpenSSL'ss_clientcommand. Run this from a machine where Chrome's AIA caching won't confuse the results:

# Connect and show all certificates in the chain
openssl s_client -connect yourdomain.com:443 -showcerts 2>/dev/null \
  | grep -E "^(subject|issuer)"

A complete chain shows at least two subject/issuer pairs — one for your leaf certificate and one for the intermediate CA:

subject=CN = yourdomain.com
issuer=CN = Sectigo RSA Domain Validation Secure Server CA, ...

subject=CN = Sectigo RSA Domain Validation Secure Server CA, ...
issuer=CN = USERTrust RSA Certification Authority, ...

An incomplete chain shows only one pair — just your leaf certificate:

subject=CN = yourdomain.com
issuer=CN = Sectigo RSA Domain Validation Secure Server CA, ...
# ← intermediate certificate missing — the chain is broken

You can also count certificates directly:

openssl s_client -connect yourdomain.com:443 -showcerts 2>/dev/null \
  | grep -c "BEGIN CERTIFICATE"
# 1 = incomplete, 2 or 3 = typically complete

Online alternatives

SSL Labs (ssllabs.com/ssltest) — shows "Chain issues: None" when complete, flags "Chain issues: Incomplete" otherwise. The most thorough free test.
My-SSL SSL Checker — use the SSL Checker tool to inspect the chain of any hostname directly.

Fix the chain on Nginx

Nginx requires the certificate chain to be bundled into a single file that thessl_certificatedirective points to. The file must contain the leaf certificate first, followed by the intermediate certificate(s). Never include the root.

Step 1: Create the fullchain file

# Leaf cert first, then the intermediate(s)
cat yourdomain.crt intermediate.crt > fullchain.pem

# If your CA provided a bundle with multiple intermediates:
cat yourdomain.crt ca-bundle.crt > fullchain.pem

Step 2: Reference fullchain.pem in your server block

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    # Use the full chain file — NOT just yourdomain.crt
    ssl_certificate     /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/private.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...;
    ssl_prefer_server_ciphers off;
    ...
}

Step 3: Test and reload

nginx -t              # Validate config — fix any errors before reloading
nginx -s reload       # Reload without dropping connections

Order in the bundle file matters

Place the leaf certificate first, then intermediates in order from most-specific to most-general (i.e., the one that signed your leaf comes first, then the one that signed that, and so on). Nginx is tolerant of out-of-order bundles in modern versions, but other clients and tools may not be.

Fix the chain on Apache

Apache 2.4.8 and later supports a bundled certificate file via SSLCertificateFile. Older Apache versions required a separate SSLCertificateChainFile directive (which was deprecated in 2.4.8 but still works).

Apache 2.4.8+ (preferred — single bundled file)

# Create fullchain.pem
cat yourdomain.crt intermediate.crt > fullchain.pem

# In your VirtualHost block:
<VirtualHost *:443>
    ServerName yourdomain.com
    SSLEngine on

    # Point to the bundled file — leaf cert + intermediate(s)
    SSLCertificateFile    /etc/apache2/ssl/fullchain.pem
    SSLCertificateKeyFile /etc/apache2/ssl/private.key

    # Optional — improves forward secrecy and TLS 1.3 compatibility
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    ...
</VirtualHost>

Apache 2.4.7 and earlier (separate chain file)

<VirtualHost *:443>
    SSLCertificateFile      /etc/apache2/ssl/yourdomain.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/private.key
    SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt
    # SSLCertificateChainFile is deprecated in 2.4.8+ but still works
</VirtualHost>

Test and restart

apache2ctl configtest    # or: httpd -t
systemctl reload apache2  # or: systemctl reload httpd

Fix the chain on IIS

IIS on Windows doesn't use a bundled certificate file. Instead, intermediate certificates are stored in the Windows Certificate Store, and IIS automatically includes them during the TLS handshake when they are present in the right store.

Install the intermediate via MMC

1Press Win+R, type mmc, press Enter to open the Microsoft Management Console.
2Go to File → Add/Remove Snap-in → select Certificates → Add → choose Computer account → Local computer → OK.
3In the left pane, expand Certificates (Local Computer) → Intermediate Certification Authorities → Certificates.
4Right-click the Certificates folder → All Tasks → Import.
5Browse to your intermediate certificate file (intermediate.crt or ca-bundle.crt). Complete the wizard.
6Restart IIS: run iisreset in an elevated Command Prompt.

Install via PowerShell

# Import intermediate into the correct store
Import-Certificate -FilePath "C:\ssl\intermediate.crt" `
    -CertStoreLocation Cert:\LocalMachine\CA

# Restart IIS
iisreset

Windows downloads missing intermediates via AIA chasing, similar to desktop Chrome. This means your IIS server may appear to work correctly even if the intermediate is not explicitly in the store, because Windows fetches it automatically on first connection. However, this fetch fails if the CA Issuers URL is blocked by your firewall, or on systems without outbound HTTP access. Installing the intermediate explicitly ensures the chain is always complete and eliminates this dependency.

Where to get the intermediate certificate

Your CA should provide the intermediate certificate in your certificate download package. Look for a file named ca-bundle.crt, intermediate.crt, or chain.pem. My-SSL download packages include your leaf certificate, the intermediate bundle, and a pre-built fullchain.pem ready to use directly in Nginx or Apache.

If you don't have the intermediate file, you can retrieve it from the AIA extension embedded in your own certificate:

# Find the CA Issuers URL in your certificate
openssl x509 -in yourdomain.crt -noout -text \
  | grep -A 2 "CA Issuers"
# Example output:
# CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt

# Download the intermediate from that URL
curl -o intermediate.crt "http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt"

# If the downloaded file is in DER format (binary), convert to PEM:
openssl x509 -inform DER -in intermediate.crt -out intermediate.pem
mv intermediate.pem intermediate.crt

CA intermediate certificate repositories

All major CAs publish their intermediate certificates in publicly accessible repositories. DigiCert, Sectigo, GlobalSign, and Comodo all maintain dedicated download pages for their intermediate CA certificates — typically linked from their support or knowledge base. These pages are the authoritative source; the AIA fetch above points to the same files.

Verify the fix

After restarting your server, run the following checks to confirm the chain is complete:

1. OpenSSL — count certificates

openssl s_client -connect yourdomain.com:443 -showcerts 2>/dev/null \
  | grep -c "BEGIN CERTIFICATE"
# Expected: 2 (leaf + one intermediate) or 3 (leaf + two intermediates)

2. OpenSSL — verify return code

openssl s_client -connect yourdomain.com:443 2>/dev/null \
  | grep "Verify return code"
# Expected: Verify return code: 0 (ok)

3. curl — full chain verification

curl -vI https://yourdomain.com 2>&1 | grep -E "(issuer|subject|SSL)"
# Look for multiple issuer lines — one per certificate in the chain

Chain complete — expected output

• openssl certificate count: 2 or 3
• Verify return code: 0 (ok)
• curl exits with code 0
• SSL Labs: "Chain issues: None"

Chain broken — warning signs

• openssl certificate count: 1
• Verify return code: 21
• curl: (60) unable to get local issuer
• SSL Labs: "Chain issues: Incomplete"

Related configuration guides

A complete certificate chain is the foundation of a correct TLS setup. Pair it with these additional configurations for a hardened deployment:

TLS 1.3 — 1-RTT handshake, mandatory forward secrecy, and no legacy ciphers.
HSTS — force all connections over HTTPS and prevent protocol downgrade attacks.
OCSP stapling — cache the CA's revocation proof on your server to speed up TLS handshakes.
CAA records — restrict which CAs are authorized to issue certificates for your domain.
Need a new commercial certificate with a correctly bundled chain? Browse DV SSL certificates from $3.99/year — all download packages include fullchain.pem.