SSL Certificate Chain | Your in-depth Guide

SSL Certificate Chain

You would be familiar with a software/website that can not function independently. Website per-se functions in-tandem with web server, which is a backbone for its functioning. The same is true for SSL certificate as well. Yes, it functions with support from some chain. This chain is generally known as SSL certificate chain.

Here, I am going to guide you in-depth about the SSL certificate chain and what is the role of every component within that chain.


What is SSL Certificate Chain?


A certificate chain acts to establish a trust between Certificate Authorities (CAs) of a Public Key Infrastructure (PKI). The trust establishes the hierarchical roles and relationships between the root CA, the intermediate CA, and the Secure Sockets Layer (SSL) certificates.

Actually, in order to identify the trust factor of the SSL certificate, a browser has to verify few more details. These details are nothing but few more certificate that has been vetted by This list of SSL Certificate from the root certificate to the end browser, represents the SSL Certificate chain.

Let us delve deeper into the process. To see the component within SSL certificate you need to see the certificate path of SSL installed on any URL.


Component of SSL certificate chain


  1. URL certificate

  2. Intermediate certificate and

  3. Root certificate


SSL Certificate Chain


Differentiating root and intermediate CAs

The root CA is the base of the certificate chain. Certificates from the root CA carries the same level of trust as the root CA certificate. The root CA signs the certificate for the intermediate CA. The role of the intermediate CA is to sign end-entity certificates for the root CA.

SSL certificate

The SSL certificate is signed by an intermediate CA for use as a domain specific certificate. The SSL certificate is installed on an SSL enabled server (end-entity) and the certificate is presented to the browser when initiating an SSL connection with the server. The browser will try to confirm the authenticity of the SSL certificate by checking the signing authority of the certificate.

Intermediate CA

The intermediate CA is a deputy to a specific root CA and uses a certificate signed by the root CA. The intermediate CA is the signer of SSL certificates. The intermediate CAs get their CA directly from the signing root CA.


Root CA

The root CA utilizes a X.509-based public key certificate that specifically identifies the root CA. The root CA is the signing authority for the SSL certificate chain. Browser vendors include a list of known, trusted root CAs that will ultimately determine the validity of an SSL certificate.

For a browser to accept an SSL certificate, the certificate must be issued by a CA that has a signed certificate from a root CA. That is included in the browser’s store of known, trusted root CAs.

The browser will check each intermediate CA’s certificate to establish if it was issued by a known, trusted root CA. In case the certificate of the intermediate CA was signed by some another intermediate CA, the web browser will then verify if that intermediate CA’s certificate to check if the issuer of the certificate is a trusted root CA.

This chain of checking a level deeper will continue until the root CA certificate is located and checked against the browser’s trusted store of root CA’s.

When the root CA matches a known and trusted root CA in the browser’s store, the certificate is accepted as valid.

Untrusted SSL connections are managed in various ways by different vendors, most will warn that the connection is distrusted, requiring the user to acknowledge the discrepancy or outright fail to allow the connection to establish.


How SSL Certificate Chain Works

For more in-depth understanding of SSL certificate chain I have a video for you. Watch this for quick understanding.



Simple Example of a certificate chain:

  • A browser initiates an SSL connection to a domain that has an SSL certificate issued by a CA D.
  • CA D is an intermediate CA; therefore the browser will not have a root CA certificate for D in the list of known, trusted root CAs.
  • The certificate for D is signed by the intermediate CA C.
  • The certificate for C was signed by the intermediate CA B.
  • The certificate for B is signed by the intermediate CA A.
  • Intermediate CA A’s certificate was trusted by the root CA.

If the root CA is a known, trusted CA, the SSL certificate presented to the browser in the initial request is deemed valid.


Troubleshooting SSL Certificate Chain Issues


SSL certificate troubleshooting can be really difficult at times if you are not familiar with procedures. Having said that, here is a SSL Certificate troubleshooting guide with solution of most common errors.


  • Check if your SSL certificate is issued by a trusted CA? otherwise your SSL certificate will be distrusted by browsers. There would also be a problem if you self-signed your certificate.
  • Did you install your intermediates properly? While browsers will try to fill the gaps in the certificate chain, you don’t want to leave things to chance. Make sure that all intermediate certificates are installed along with your SSL certificate.
  • Is your server configured correctly? Just because you have your SSL certificate and any intermediates doesn’t mean you’ve configured your server properly. If you have trouble with the installation of your certificate, our installation team would be happy to assist.


Credit: Video

Have any Questions


If you have any questions, feel free to call us toll-free

Toll-Free Call: +91 +91-22-42978097

  • Payments We Accept
  • PayPal
  • Direct Debit
  • Visa Payment Method
  • Master Card
  • Maestro
  • American Express