Understanding Certificate Authorities and Trust Chains
Learn what certificate authorities do, how SSL/TLS trust chains work, and why missing intermediate certificates can cause browser warnings.
Introduction
A certificate authority, or CA, is an organization trusted to issue SSL/TLS certificates. When a browser opens an HTTPS website, it checks whether the website certificate can be linked back to a trusted root certificate through a valid certificate chain.
If the chain is incomplete, expired, misordered or issued by an untrusted authority, visitors may see browser warnings even if the website has a certificate installed.
Quick answer
Browsers trust SSL/TLS certificates through a certificate chain. A website certificate is usually issued by an intermediate certificate, which links back to a trusted root certificate. If the chain is missing or broken, HTTPS may fail or show security warnings.
Certificate chains
A certificate chain connects your website certificate to a trusted root certificate.
Website certificate
Issued for your domain.
Intermediate certificate
Issued by the certificate authority and used to sign website certificates.
Root certificate
Trusted by browsers and operating systems.
example.com certificate
→ Intermediate CA certificate
→ Root CA certificate
Browsers trust the website certificate only if the chain can be verified back to a trusted root.
Root vs intermediate
Root certificate
Trusted directly by browsers and operating systems. Usually kept highly protected. Signs intermediate certificates. Rarely used directly for website certificates.
Intermediate certificate
Sits between root and website certificate. Signs website certificates. Must usually be served by the web server. Missing intermediates can break trust.
Website certificate
Issued for your domain. Installed on your server, CDN or hosting panel. Must match the hostname visitors use. Must be served with the correct chain.
Why intermediates matter
Most public SSL/TLS certificates are not signed directly by a root certificate. They are signed by an intermediate CA. Your server usually needs to send the website certificate plus the intermediate certificate chain.
If intermediate certificates are missing, some browsers or devices may not be able to build a trusted path.
This is why a certificate can look installed but still fail SSL checks.
Why this matters
Trust chains matter because HTTPS depends on browser trust. A valid domain certificate is not enough if the certificate chain is incomplete, untrusted or expired. Chain problems can cause browser warnings, API failures, mobile app connection errors and payment or integration issues.
Trust-chain issues are common after manual certificate installation, server migration, CDN changes or incorrect SSL bundle uploads.
How to check the chain
Use SSL Checker to inspect the certificate issuer, chain, intermediate certificates and trust status.
When checking the trust chain, review
These six checks help confirm the chain is complete and trusted.
Website certificate
Confirm it is issued for the correct hostname.
Issuer
Check which CA issued the certificate.
Intermediate chain
Confirm intermediate certificates are present.
Root trust
Confirm the chain ends at a trusted root certificate.
Expiry dates
Check expiry for the website certificate and intermediates.
Server installation
Confirm the active server, CDN or proxy serves the full chain.
Check certificate chain now
Use SSL Checker to verify issuer, certificate chain and trust status.
Common problems
Intermediate certificate missing
HighThe server does not send the intermediate certificate needed to build trust.
Next step: Install the full certificate chain or CA bundle from the certificate provider.
Wrong intermediate certificate
MediumThe server sends an intermediate certificate that does not match the website certificate.
Next step: Download the correct intermediate chain from the certificate authority.
Self-signed certificate
HighThe certificate is not issued by a trusted public certificate authority.
Next step: Use a publicly trusted certificate for public websites.
Expired intermediate certificate
HighAn intermediate certificate in the chain is expired.
Next step: Replace the chain with the current CA bundle.
Untrusted root
HighThe chain ends at a root certificate not trusted by browsers or the client.
Next step: Use a certificate from a trusted CA or check client trust store requirements.
Chain served in wrong order
MediumThe server sends certificates in an incorrect order.
Next step: Install the certificate bundle in the correct order: website certificate, then intermediates.
CDN or proxy serves different chain
MediumThe origin server may be correct, but the CDN or proxy serves another certificate chain.
Next step: Check SSL at the public hostname and update the CDN/proxy certificate.
Old CA bundle after migration
MediumA migrated server uses an outdated or incomplete CA bundle.
Next step: Reinstall the certificate and full chain on the active server.
How to fix the chain
-
Step 1: Identify where SSL is terminated
Check whether HTTPS is served by hosting, Nginx, Apache, LiteSpeed, CDN, load balancer or reverse proxy.
-
Step 2: Download the correct chain
Get the full certificate chain or CA bundle from your certificate authority or hosting panel.
-
Step 3: Install the website certificate
Install the certificate issued for your domain.
-
Step 4: Install intermediate certificates
Add the required intermediate certificates in the correct order.
-
Step 5: Reload the service
Reload the web server, proxy or CDN configuration.
-
Step 6: Test externally
Use SSL Checker from outside the server to confirm visitors receive the correct chain.
-
Step 7: Check old devices if needed
If your audience uses older devices or embedded systems, verify compatibility with their trust stores.
Chain examples
example.com certificate
Issued by: Intermediate CA
Intermediate CA certificate
Issued by: Root CA
Root CA certificate
Trusted by browser / operating system
openssl s_client -connect example.com:443 -servername example.com -showcerts
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -subject
These examples are illustrative. Replace example.com with your real domain or subdomain.
Public vs private CA
Public websites should use certificates from publicly trusted certificate authorities.
Public CA
Used for public websites and trusted by browsers.
Private CA
Used inside organizations, internal systems, VPNs or private infrastructure.
A private CA certificate may work inside a company network but show warnings for public visitors unless their device trusts that private CA.
CAA records
CAA records let domain owners restrict which certificate authorities are allowed to issue certificates for a domain.
example.com. 300 IN CAA 0 issue "letsencrypt.org"
CAA does not install SSL certificates. It only controls which CAs are allowed to issue them. A wrong CAA record can block issuance or renewal.
Frequently asked questions
What is a certificate authority?
A certificate authority is an organization trusted to issue SSL/TLS certificates after validating domain control.
What is a certificate chain?
A certificate chain links the website certificate through intermediate certificates to a trusted root certificate.
What is an intermediate certificate?
An intermediate certificate sits between the website certificate and the trusted root certificate.
Why does my SSL certificate say incomplete chain?
The server may not be sending the required intermediate certificates.
Can I use a self-signed certificate for a public website?
Not recommended. Public visitors will usually see trust warnings.
Does the root certificate need to be installed on my server?
Usually no. Servers normally send the website certificate and intermediate certificates. Browsers already have trusted root stores.
Can a CDN use a different certificate chain?
Yes. If HTTPS terminates at a CDN or proxy, the public chain may come from that service instead of your origin server.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!