What is an SSL certificate chain?

It is the ordered path that links a site's leaf certificate, through one or more intermediate CA certificates, up to a trusted root certificate that a browser already recognizes.

What is an intermediate certificate?

An intermediate is a CA certificate sitting between the offline root and the leaf. It signs the leaf on the root's behalf, and the server must send it so clients can build the path.

Why do I get an 'incomplete chain' error?

The server did not send the intermediate certificate. Without it, some clients cannot build a path from the leaf back to a trusted root, so validation fails.

SSL Certificate Chains and Intermediate Certificates Explained

A certificate chain is the ordered path that connects a site's certificate to a root your browser already trusts, with one or more intermediate certificates in between. Each certificate in the chain is signed by the one above it, forming a verifiable line of custody from the site you are visiting up to a known authority. Browsers do not trust a site's certificate on its own; they trust it because they can follow that chain to a root in their trust store. If you are new to how these certificates work in the first place, start with our pillar guide, SSL/TLS certificates explained.

The structure exists because trust has to be delegated carefully. A handful of root certificate authorities anchor the entire public web, and their root keys are too valuable to use for everyday signing. Instead, roots sign intermediates, and intermediates sign the millions of certificates issued to actual websites. The format and rules for all of this come from the X.509 certificate profile, the long-standing specification that defines how certificates reference their issuers and how clients walk the path between them. Once you understand the chain, most validation problems described in our pillar, SSL/TLS certificates explained, become much easier to diagnose.

The three levels of the chain

Every public certificate chain has three kinds of certificate. Knowing which is which tells you where a problem lives.

Level	Role	Trust source
Root	Top anchor; signs intermediates, never used to sign leaf certs directly	Pre-installed in the browser or operating system trust store
Intermediate	Signed by the root; does the day-to-day signing of leaf certificates	Derives trust from the root that signed it
Leaf	The certificate issued to your actual domain, presented during the handshake	Derives trust from the intermediate that signed it

The leaf is sometimes called the end-entity certificate. It carries your domain name, your public key, and the validity dates. It cannot vouch for itself, so it points to the intermediate that issued it, which in turn points to the root.

Why roots stay offline

A root certificate authority guards its private key like a vault. Compromise a root and an attacker could mint trusted certificates for any domain on the internet, so roots are kept on hardware that is physically air-gapped and used only on rare, audited occasions. Intermediates take the operational load. If an intermediate key is ever compromised, the CA can revoke that single intermediate and issue a new one without disturbing the root or every certificate the root has ever underwritten. The CA/Browser Forum codifies these obligations, including key protection and issuance practices, in its Baseline Requirements, which CAs must follow to stay in browser trust programs.

This layering is also why your certificate provider hands you more than one file. You receive your leaf certificate plus the intermediate (or a bundle of them). Both belong on the server.

The incomplete-chain problem

Here is where most chain failures start. During the TLS handshake, your server is responsible for sending the leaf certificate and every intermediate needed to reach a trusted root. The server does not send the root itself, because the client already has it. If you install only the leaf and forget the intermediate, you create an incomplete chain.

What makes this maddening is that it often looks fine. Some browsers cache intermediates they have seen before, or fetch a missing one using the URL embedded in the certificate, so the site loads correctly for you while breaking for someone else. Mobile clients, older devices, API callers, and strict TLS libraries frequently do none of that caching or fetching. They see a leaf with no path to a root and reject the connection. A site that works on your laptop and fails on a customer's phone is a classic incomplete-chain signature.

How clients build and validate the path

When a client receives the certificates, it does roughly this:

Take the leaf and read which issuer signed it.
Find a certificate in the presented bundle, its cache, or a fetch whose subject matches that issuer.
Verify the signature on the leaf using that issuer's public key.
Repeat upward until it reaches a certificate that is in its own trusted root store.
Along the way, check expiry dates, the domain name, revocation status, and that each certificate is allowed to sign the one below it.

If any link is missing, expired, or signed by something the client does not trust, path building fails and the handshake aborts.

Spotting a broken chain

Several signs point straight at the chain. A certificate that validates in one browser but throws errors in another, tools reporting "extra download" or "incomplete chain," or failures that only appear from servers and command-line clients rather than desktop browsers. For a fuller catalogue of failure messages and their fixes, see common SSL errors. And if a chain leads nowhere because the certificate signed itself instead of being issued by a CA, read self-signed certificates to understand why browsers reject it outright.

Not sure whether your server is sending its intermediates? Run a free SSL check at domainintel.app and see your full chain in seconds.