What is an SSL certificate chain

1. What is a certificate chain
2. The three links in the chain
3. Why an incomplete chain breaks HTTPS
4. Inspect the chain a server is sending
5. Fix an incomplete chain

#What is a certificate chain

When a browser connects to your website over HTTPS, it doesn't trust your certificate directly. Instead it follows a chain of trust from your certificate up to a root certificate it already trusts. Each certificate in the chain is signed by the one above it, and the root is pre-installed in the browser or operating system trust store.

If the browser can build an unbroken path from your certificate to a trusted root, the connection is secure. If it can't, it shows a warning.

#The three links in the chain

A complete chain has three types of certificate:

• Root certificate — owned by the Certificate Authority (CA) and shipped inside every browser and operating system. It is never sent over the wire; the client already has it.
• Intermediate certificate(s) — signed by the root, used by the CA to issue your certificate. There can be more than one.
• Leaf certificate — also called the server or end-entity certificate. This is the one issued for your domain.

The browser ships the root. Your server must send the leaf certificate plus every intermediate certificate so the browser can connect the two ends.

#Why an incomplete chain breaks HTTPS

The most common SSL mistake is installing only the leaf certificate and forgetting the intermediates. It often looks fine in your own browser (which may have cached the intermediate from another site) but fails for other visitors and for tools like curl.

A broken or incomplete chain typically shows up as:

• curl (60) SSL certificate problem: unable to get local issuer certificate
• NET::ERR_CERT_AUTHORITY_INVALID
• Your connection is not private

#Inspect the chain a server is sending

Use openssl to see exactly which certificates your server presents:

openssl s_client -connect example.com:443 -servername example.com -showcerts

Each -----BEGIN CERTIFICATE----- block is one certificate in the chain. You should see your leaf certificate followed by one or more intermediates. If you only see one certificate, your chain is incomplete.

#Fix an incomplete chain

The fix is to serve the full chain: your leaf certificate followed by the intermediate certificate(s), in order, in a single file. Concatenate them leaf-first:

cat domain.crt intermediate.crt > fullchain.crt

Then point your web server at the combined file. In nginx:

ssl_certificate     /etc/ssl/fullchain.crt;
ssl_certificate_key /etc/ssl/domain.key;

If you use Let's Encrypt, this is already done for you — always point ssl_certificate at fullchain.pem, not cert.pem.

After reloading the server, re-run the openssl s_client command above and confirm the full chain is now sent. Once the chain is complete, you can verify your overall configuration with the SSLLabs test and aim for an A+ grade.