Home/ Glossary/ Certificate Chain of Trust

Certificate Chain of Trust (Certificate Chain)

Security Glossary - SSL/TLS

Definition: A certificate chain (or chain of trust) is the ordered list of certificates from the server's end-entity certificate through one or more intermediate certificates up to a trusted root certificate. Each certificate in the chain is signed by the next one, creating a verifiable path to a root CA that the browser trusts.

Why You Should Care About Certificate Chain

A broken or incomplete certificate chain is one of the most common SSL configuration errors. If your server does not send the necessary intermediate certificates, some browsers and devices will fail to verify your certificate even though it is perfectly valid. This often manifests as intermittent SSL errors - working in Chrome on desktop but failing on Android or in certain corporate environments.

The chain works like a series of endorsements. Your server's certificate is signed by an intermediate CA, which is signed by a root CA. Browsers have a built-in list of trusted root certificates. If any link in this chain is missing or invalid, the browser cannot verify trust and will show a security warning.

Server operators must configure their web server to send the complete chain (end-entity certificate plus all intermediates, but not the root). Missing intermediates are the number one cause of "certificate not trusted" errors on mobile devices, because mobile browsers often have smaller certificate stores and cannot fetch missing intermediates as reliably as desktop browsers.

How to Check

An SSL checker analyzes your server's certificate chain and reports whether all intermediate certificates are properly sent. If the checker shows chain errors or missing intermediates, you need to update your server configuration to include the full chain file provided by your CA.

Check SSL Certificate

Lessons From the Field

In 2020, Sectigo's AddTrust External CA Root expired, breaking certificate chains for thousands of sites that had not updated their intermediate bundles. Older clients (including OpenSSL 1.0.x on Ubuntu 14.04) could not validate the new cross-signed chain, causing widespread API failures and webhook breakages for services that relied on outdated server configurations.

Questions and Answers

Why does my certificate work in Chrome but not on mobile?
Desktop Chrome can sometimes fetch missing intermediate certificates automatically (a process called AIA fetching), masking chain configuration errors. Mobile browsers and other clients often cannot do this, so a missing intermediate causes a trust failure only on those devices.
Should I include the root certificate in the chain?
No. The server should send the end-entity certificate and all intermediate certificates, but not the root. The root certificate must already be in the client's trust store. Sending it wastes bandwidth and does not help validation.

Learn More

SSL/TLS Certificate Root Certificate Intermediate Certificate Certificate Authority SSL/TLS Handshake
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.