SSL Certificate Chain Checker

Inspect the full chain of trust a server sends. Enter a domain and this tool lists every certificate it presents — the leaf, each intermediate CA, and a root if one is included — and tells you whether the chain is complete and correctly ordered. A missing intermediate is the classic bug that works in your browser but fails on Android and other strict clients; this is how you catch it.

We read the certificates the server presents during the live handshake. Nothing is stored.

How to use the SSL Certificate Chain Checker

Enter a domain and press Check chain. The tool shows every certificate the server sent during the TLS handshake, in order:

  • Leaf — your site's own certificate (position 1).
  • Intermediate CA — one or more certificates that link your leaf to a trusted root.
  • Root CA — occasionally included (it does not need to be, since the root already lives in browsers' trust stores).

Each entry shows the subject, who issued it, and when it expires. At the top, a verdict tells you whether the chain looks complete (leaf plus at least one intermediate) or incomplete (only the leaf was sent — a problem). If a root certificate is included, it is flagged as harmless but slightly wasteful, since sending it adds bytes to every handshake for no benefit.

What the certificate chain of trust is

Browsers do not trust website certificates directly. Instead, trust flows down a chain: a small set of root certificate authorities (CAs) are pre-installed in every browser and operating system, those roots sign intermediate CA certificates, and the intermediates sign the individual leaf certificate your website uses. To trust your site, a browser must be able to build an unbroken path from your leaf certificate up to one of those known roots.

Here is the catch: the browser starts with only your server's response. For it to build the path, your server must send the intermediate certificate(s) along with the leaf. The root is already on the client, so it is not needed (and sending it just wastes bandwidth). If the server sends only the leaf and omits the intermediate, you get the dreaded incomplete chain:

  • Desktop Chrome and Firefox often hide the problem, because they cache intermediates or fetch the missing one via the certificate's "AIA" URL. So it looks fine on your machine.
  • Android, many mobile apps, server-to-server clients, and older devices do not do that, so they reject the connection outright. This is why "it works for me but customers get certificate errors" is almost always a chain problem.

Because this tool reads exactly what the server transmits — not what a forgiving desktop browser reconstructs — it shows the true state of the chain and pinpoints a missing intermediate that you would otherwise only discover from frustrated users.

Common use cases

  • Diagnosing "works for me, fails for them" — the number-one cause is a missing intermediate, which this check reveals immediately.
  • After a manual certificate install — confirm you deployed the full chain (fullchain file), not just the leaf certificate.
  • Auditing mobile/app reliability — make sure strict clients can verify your certificate, not just desktop browsers.
  • Checking API and webhook endpoints — server-to-server callers verify chains strictly, so an incomplete chain silently breaks integrations.
  • Trimming a bloated handshake — spot an unnecessary root certificate being sent and remove it to shave bytes off every connection.

How to fix an incomplete certificate chain

  • Install the full chain file. Point your server at the file that contains the leaf and the intermediates. With Let's Encrypt this is fullchain.pem (not cert.pem). With a commercial CA, concatenate your certificate followed by the provided CA-bundle into one file.
  • Order matters. The leaf comes first, then each intermediate in order toward the root. Most servers tolerate minor ordering issues, but getting it right avoids edge-case failures.
  • Nginx: ssl_certificate should point to the combined leaf + intermediates file.
  • Apache: set SSLCertificateFile to the leaf and SSLCertificateChainFile to the intermediates (or use a combined file on modern versions).
  • After fixing, reload the server and re-run this check — you should now see the intermediate(s) listed and a "complete" verdict.

Frequently asked questions

What is an SSL certificate chain?
It is the ordered list of certificates that links your website's certificate to a trusted root CA: leaf → intermediate(s) → root. Browsers trust your site only if they can build an unbroken path from the leaf up to a root they already trust.

What does "incomplete certificate chain" mean?
The server sent its leaf certificate but not the intermediate CA certificate(s) needed to reach a trusted root. Some browsers paper over it, but strict clients like Android and server-to-server callers reject the connection.

Why does my site work in Chrome but fail on mobile?
Almost always a missing intermediate. Desktop browsers often fetch or cache the intermediate for you; mobile and app clients do not, so they fail. Install the full chain to fix it for everyone.

Should the root certificate be included in the chain?
No. The root already exists in every client's trust store, so sending it is unnecessary and just adds bytes to each handshake. The server should send the leaf plus intermediates only.

How do I send the full chain?
Configure your server to use the "fullchain" file (leaf + intermediates). With Let's Encrypt use fullchain.pem; with a commercial CA, concatenate your certificate and the CA-bundle.

Does this store the domains I check?
No. The chain is read from the live handshake and nothing is saved.