Contact Support
Sign In
When you visit a secure website, you’ll notice a padlock next to the URL. That means the site uses Secure Sockets Layer (SSL), which protects the information you share. However, for SSL to work properly, it must have an SSL certificate chain.
This chain links your website to a trusted source called a Certificate Authority, which proves your site is secure and trustworthy. If the chain is broken or incomplete, browsers may show warnings. So, understanding SSL chains is important for keeping your website safe and trusted by visitors.
This blog provides all the details of an SSL certificate chain, how it works, why it matters, and how to check and fix common chain issues to keep your website secure.
KEY TAKEAWAYS
- An SSL certificate chain connects your website’s certificate to a trusted root certificate.
- It consists of three parts: the server certificate, the intermediate certificate, and the root certificate.
- When any part of the chain is missing or broken, visitors receive a security warning.
- A full and valid SSL chain is needed for HTTPS to work correctly.
- You can check your SSL chain using browser tools or online checkers.
- Always install the full chain, not just the server certificate.
- Use a trusted Certificate Authority and renew certificates before they expire.
- Auto-renewal from your hosting provider or certificate manager can help avoid issues.
- A strong SSL cert chain keeps your site secure and builds trust with your visitors.
TABLE OF CONTENTS
What is an SSL Certificate Chain?
An SSL certificate chain is a group of digital certificates that work together and verify your website’s identity. When someone visits your site, their browser checks this chain to ensure your site is secure and trusted.
The chain starts with your website’s own certificate. This is called the server certificate. It connects to one or more intermediate certificates issued by trusted companies. These intermediate certificates then connect to a root certificate already trusted by browsers.
It’s worth noting that browsers rely on this full chain to confirm that your SSL certificate is real and secure. When even one part is missing or broken, visitors see a security warning. A complete SSL cert chain is required for a smooth and secure browsing experience.
Key Components of an SSL Certificate Chain
As mentioned earlier, an SSL certificate chain consists of 3 main parts. Each part plays an important role in making your website safe and trusted.
- Server (Leaf) Certificate: This certificate is associated with your domain. It is what your web server sends to the visitor’s browser and proves that your website is the real one and not a fake copy. But on its own, this certificate isn’t trusted yet.
- Intermediate Certificate(s): The part that acts as a bridge connecting your server certificate to a trusted source. Intermediate certificates are issued by a Certificate Authority (CA). Sometimes, more than one intermediate certificate is used to build a stronger link.
- Root Certificate: This is the top of the chain and is already trusted by web browsers and operating systems. Root certificates are stored inside your device. If the browser finds a valid link from the root to your server, it knows the connection is secure.
All three parts must work together. If one is missing, your visitors may see an error or warning when they attempt to visit your site.
SSL Certificate Chain Example
The SSL certificate chain forms a tree structure. It starts with the leaf certificate (your domain name) and ends at the root certificate, the most trusted source. Parts of the chain between the leaf and root certificate connect one level to the next. The chain is only trusted if all parts are in place and valid. It always ends with a root Certificate Authority (CA), which confirms the entire chain is secure.
Let’s look at the Hosted.com SSL certificate chain to see how it works:
Open your Chrome browser. Click tune in the address bar. Navigate to Connection is secure → Certificate is valid. Then, switch to Details and look for Certificate Hierarchy.
Here, you will find 3 layers in the chain:
- Cetrum Trusted Network CA: The root certificate is stored in browsers and operating systems and acts as the final checkpoint in the chain. When this certificate is revoked or deemed invalid, the entire chain becomes invalid.
- Cetrum Domain Validation CA SHA2: An intermediate certificate that sits between the root and the domain. It keeps the root certificate safe and issues domain certificates, such as the one for Hosted.com.
- *.hosted.com: This is the leaf certificate, also known as the server certificate. Hosted.com uses this certificate to secure its website and prove its identity to browsers. This certificate is issued by the intermediate CA, not directly by the root, to keep the root certificate protected.
This structure is managed by Cetrum, a trusted Certificate Authority that issues SSL certificates to secure websites across the internet. Hosting providers like Hosted.com rely on this chain to ensure all major web browsers and operating systems recognize and trust the SSL certificates.
If any part of this chain is missing, expired, or not properly installed, visitors will see a warning, and the website may appear unsafe. That’s why it’s so important to have a complete and valid SSL certificate chain in place.
How SSL Certificate Chains Work
Let’s continue with the Hosted.com example to see how the SSL certificate chain works:
First, your website sends its server certificate (*.hosted.com) to the visitor’s browser. The browser then looks for an intermediate certificate (Cetrum Domain Validation CA SHA2) that connects your server certificate to a trusted root certificate (Cetrum Trusted Network CA).
Next, the browser checks if this chain leads to a trusted root certificate already stored in the system. If the full chain is found and each part is valid, the browser shows a padlock and loads your site securely.
Each certificate in the chain plays a role. The server certificate proves your site’s identity. The intermediate certificate builds a trusted path. The root certificate confirms everything is safe.
Why SSL Certificate Chains Matter
An SSL cert chain is not just a technical step; it keeps your website trusted and secure. When the chain is complete and correct, browsers trust your website; this builds confidence with visitors, especially when they enter personal or payment information.
A proper chain also prevents SSL warnings, such as This site is not secure. These messages can scare people away and harm your site’s reputation. If your site doesn’t have a working certificate chain, HTTPS won’t function correctly, and it will not be fully protected.
Most importantly, SSL certificate chains keep data safe while it moves between your website and the visitor’s browser. This prevents hackers from stealing sensitive information.
Common Problems with SSL Certificate Chains
Even small issues in the SSL chain can cause huge problems. One common issue is a missing intermediate certificate. If your server only sends the server certificate and skips the intermediate one, browsers may not trust your site.
Another problem is improper SSL installation. If the certificates are not set up in the correct order, the chain can break. Also, using an expired or self-signed certificate leads to warnings because the browser won’t recognize it as trusted.
When these problems occur, visitors may see errors such as Your connection is not private or Certificate not trusted. These errors can hurt your website traffic and trust. That’s why you must check your certificate chain and address any issues quickly.
How to Check Your SSL Certificate Chain
To ensure your SSL certificate chain is working properly, use these simple tools:
Right-click on your website, select Inspect, and navigate to Privacy and security → Security → Overview. Here, you’ll see whether the connection is secure and if the certificate chain is valid. It also tells you which certificate is used and if the chain leads to a trusted root.
You may also use free online tools, such as Qualys SSL Labs. Enter your website’s URL, and the tool will scan your SSL setup. Look for a full chain that includes the server certificate, the intermediate certificate, and the root certificate. If anything is missing or misconfigured, the tool will point it out.
Best Practices for Managing SSL Chains
Follow these best practices to avoid SSL errors:
- Install the full certificate chain, not just the domain certificate. Ensure the intermediate certificate is also added.
- Use a trusted Certificate Authority (CA). Well-known CAs are recognized by all major browsers, which helps avoid warnings.
- Renew your certificates before they expire. Don’t wait until the last minute, as expired certificates will break the chain and trigger security alerts.
- Choose a hosting provider or tool that supports auto-renewal. This saves time and prevents certificate expiration issues.
- By checking and managing your SSL chain correctly, you can keep your website safe, trusted, and working smoothly for all visitors.
![Strip Banner Text - Keep your site and visitors safe with trusted SSL security. [More Info]](https://www.hosted.com/blog/wp-content/uploads/2025/05/ssl-certificate-chain-04-1024x229.webp "Keep your site and visitors safe with trusted SSL security")
FAQS
How is an SSL certificate chain different from a regular SSL certificate?
Your website uses an SSL certificate to enable HTTPS encryption and verify its identity. However, browsers don’t just trust your certificate alone; they need proof that it was issued by a trusted Certificate Authority (CA). The SSL certificate chain includes:
– Your end-entity certificate (the SSL certificate for your domain).
– One or more intermediate certificates (issued by the CA to bridge trust).
– And ultimately links back to a trusted root certificate (stored in browsers/OS).
This chain proves that your SSL certificate is valid and was issued by an authorized CA, ensuring browsers accept it without security warnings.
Can I use the same SSL chain for multiple domains?
Only if you have a Multi-Domain SSL or Wildcard SSL that supports this. Every domain needs a certificate, but the intermediate and root parts of the chain are often the same. This makes managing SSL for multiple domains easier and more efficient.
How many certificates are in the certificate chain?
A certificate chain usually has three certificates: a leaf certificate, an intermediate certificate, and a root certificate. Sometimes, there may be more than one intermediate certificate, especially if the Certificate Authority uses a longer trust path. But all chains must end with a trusted root certificate.
What happens if a root certificate is no longer trusted?
If a root certificate is revoked or distrusted (by browsers or operating systems), all certificates linked to it become invalid. Visitors will see a warning, even if your domain certificate and intermediate are fine. That’s why it’s important to use a trusted Certificate Authority.
How often should I check my SSL certificate chain?
You should check it whenever you install a new certificate, renew one, or change hosting providers. It’s also smart to do regular checks with online tools to catch issues early. Some tools even alert you if your SSL chain breaks or expires.
Other Blogs of Interest
– Multi Domain Wildcard SSL Certificate: Uses & Benefits
– Different Types Of SSL Certificates: Which One Is Right For Your Site?
– How To Renew SSL Certificates For A Website
– SSL Certificate – What it is, Why it is Needed, and How to Set It Up
– How to Get a Free Domain Name and a Free SSL Certificate
- About the Author
- Latest Posts
Wayne Diamond, the founder and CEO of Hosted.com, has over 20 years of expertise in the domain name and website hosting industry.
Under his leadership, Hosted.com will work towards transforming the way SMEs, entrepreneurs, freelancers, and established enterprises of all sizes manage their domain names, website and WordPress hosting, and online presence.