SSL & HTTPS Guides

Understanding Certificate Authorities and Trust Chains

Learn what certificate authorities do, how SSL/TLS trust chains work, and why missing intermediate certificates can cause browser warnings.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

A certificate authority, or CA, is an organization trusted to issue SSL/TLS certificates. When a browser opens an HTTPS website, it checks whether the website certificate can be linked back to a trusted root certificate through a valid certificate chain.

If the chain is incomplete, expired, misordered or issued by an untrusted authority, visitors may see browser warnings even if the website has a certificate installed.

Quick answer

Quick answer

Browsers trust SSL/TLS certificates through a certificate chain. A website certificate is usually issued by an intermediate certificate, which links back to a trusted root certificate. If the chain is missing or broken, HTTPS may fail or show security warnings.

Certificate authorities

A certificate authority is a trusted organization that verifies domain control and issues SSL/TLS certificates.

  • Let’s Encrypt
  • DigiCert
  • Sectigo
  • GlobalSign
  • Google Trust Services
  • Amazon Trust Services

A CA does not host your website. It issues the certificate your server uses for HTTPS.

Certificate chains

A certificate chain connects your website certificate to a trusted root certificate.

Website certificate

Issued for your domain.

Intermediate certificate

Issued by the certificate authority and used to sign website certificates.

Root certificate

Trusted by browsers and operating systems.

Example chain
example.com certificate
 Intermediate CA certificate
 Root CA certificate

Browsers trust the website certificate only if the chain can be verified back to a trusted root.

Root vs intermediate

Root certificate

Trusted directly by browsers and operating systems. Usually kept highly protected. Signs intermediate certificates. Rarely used directly for website certificates.

Intermediate certificate

Sits between root and website certificate. Signs website certificates. Must usually be served by the web server. Missing intermediates can break trust.

Website certificate

Issued for your domain. Installed on your server, CDN or hosting panel. Must match the hostname visitors use. Must be served with the correct chain.

Why intermediates matter

Most public SSL/TLS certificates are not signed directly by a root certificate. They are signed by an intermediate CA. Your server usually needs to send the website certificate plus the intermediate certificate chain.

If intermediate certificates are missing, some browsers or devices may not be able to build a trusted path.

This is why a certificate can look installed but still fail SSL checks.

Why this matters

Why this matters

Trust chains matter because HTTPS depends on browser trust. A valid domain certificate is not enough if the certificate chain is incomplete, untrusted or expired. Chain problems can cause browser warnings, API failures, mobile app connection errors and payment or integration issues.

Trust-chain issues are common after manual certificate installation, server migration, CDN changes or incorrect SSL bundle uploads.

How to check the chain

Use SSL Checker to inspect the certificate issuer, chain, intermediate certificates and trust status.

When checking the trust chain, review

These six checks help confirm the chain is complete and trusted.

Website certificate

Confirm it is issued for the correct hostname.

Issuer

Check which CA issued the certificate.

Intermediate chain

Confirm intermediate certificates are present.

Root trust

Confirm the chain ends at a trusted root certificate.

Expiry dates

Check expiry for the website certificate and intermediates.

Server installation

Confirm the active server, CDN or proxy serves the full chain.

Check certificate chain now

Use SSL Checker to verify issuer, certificate chain and trust status.

Run SSL Check →

Common problems

Intermediate certificate missing

High

The server does not send the intermediate certificate needed to build trust.

Next step: Install the full certificate chain or CA bundle from the certificate provider.

Wrong intermediate certificate

Medium

The server sends an intermediate certificate that does not match the website certificate.

Next step: Download the correct intermediate chain from the certificate authority.

Self-signed certificate

High

The certificate is not issued by a trusted public certificate authority.

Next step: Use a publicly trusted certificate for public websites.

Expired intermediate certificate

High

An intermediate certificate in the chain is expired.

Next step: Replace the chain with the current CA bundle.

Untrusted root

High

The chain ends at a root certificate not trusted by browsers or the client.

Next step: Use a certificate from a trusted CA or check client trust store requirements.

Chain served in wrong order

Medium

The server sends certificates in an incorrect order.

Next step: Install the certificate bundle in the correct order: website certificate, then intermediates.

CDN or proxy serves different chain

Medium

The origin server may be correct, but the CDN or proxy serves another certificate chain.

Next step: Check SSL at the public hostname and update the CDN/proxy certificate.

Old CA bundle after migration

Medium

A migrated server uses an outdated or incomplete CA bundle.

Next step: Reinstall the certificate and full chain on the active server.

How to fix the chain

  1. Step 1: Identify where SSL is terminated

    Check whether HTTPS is served by hosting, Nginx, Apache, LiteSpeed, CDN, load balancer or reverse proxy.

  2. Step 2: Download the correct chain

    Get the full certificate chain or CA bundle from your certificate authority or hosting panel.

  3. Step 3: Install the website certificate

    Install the certificate issued for your domain.

  4. Step 4: Install intermediate certificates

    Add the required intermediate certificates in the correct order.

  5. Step 5: Reload the service

    Reload the web server, proxy or CDN configuration.

  6. Step 6: Test externally

    Use SSL Checker from outside the server to confirm visitors receive the correct chain.

  7. Step 7: Check old devices if needed

    If your audience uses older devices or embedded systems, verify compatibility with their trust stores.

Chain examples

Typical chain
example.com certificate
Issued by: Intermediate CA

Intermediate CA certificate
Issued by: Root CA

Root CA certificate
Trusted by browser / operating system
OpenSSL check
openssl s_client -connect example.com:443 -servername example.com -showcerts
Check issuer
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer
Check subject
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -subject

These examples are illustrative. Replace example.com with your real domain or subdomain.

Public vs private CA

Public websites should use certificates from publicly trusted certificate authorities.

Public CA

Used for public websites and trusted by browsers.

Private CA

Used inside organizations, internal systems, VPNs or private infrastructure.

A private CA certificate may work inside a company network but show warnings for public visitors unless their device trusts that private CA.

CAA records

CAA records let domain owners restrict which certificate authorities are allowed to issue certificates for a domain.

Example
example.com. 300 IN CAA 0 issue "letsencrypt.org"

CAA does not install SSL certificates. It only controls which CAs are allowed to issue them. A wrong CAA record can block issuance or renewal.

Frequently asked questions

What is a certificate authority?

A certificate authority is an organization trusted to issue SSL/TLS certificates after validating domain control.

What is a certificate chain?

A certificate chain links the website certificate through intermediate certificates to a trusted root certificate.

What is an intermediate certificate?

An intermediate certificate sits between the website certificate and the trusted root certificate.

Why does my SSL certificate say incomplete chain?

The server may not be sending the required intermediate certificates.

Can I use a self-signed certificate for a public website?

Not recommended. Public visitors will usually see trust warnings.

Does the root certificate need to be installed on my server?

Usually no. Servers normally send the website certificate and intermediate certificates. Browsers already have trusted root stores.

Can a CDN use a different certificate chain?

Yes. If HTTPS terminates at a CDN or proxy, the public chain may come from that service instead of your origin server.

Use these free tools to verify your configuration after applying changes.

Browse all SSL & HTTPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.