Want to learn more?
Understand certificate chains, intermediate CAs, and how browsers verify trust hierarchies.
Read the guideSSL Chain Issues Breaking Your Site?
We monitor and manage SSL certificates across your infrastructure to prevent outages.
Understanding Certificate Chains
When you obtain an SSL/TLS certificate from a Certificate Authority (CA), you receive more than just your server's certificate. You also need intermediate CA certificates that form a chain of trust.
Chain Structure
- End-Entity Certificate - Your server's certificate containing your domain name
- Intermediate CA Certificate(s) - Certificates that chain your cert to the root
- Root CA Certificate - Self-signed certificate trusted by browsers (usually not needed in your config)
Common Chain Issues
Incomplete Chain: Missing intermediate certificates cause "certificate not trusted" errors, especially on mobile devices.
Wrong Order: Some servers require certificates in a specific order. The standard is end-entity first, followed by intermediates, with root last.
Authority Information Access (AIA)
Modern certificates include an AIA extension that contains a URL to the issuer's certificate. This tool uses AIA to automatically fetch and build the complete chain.
Server Configuration
Nginx
Apache
Frequently Asked Questions
Common questions about the Certificate Chain Builder
A certificate chain (or chain of trust) is a sequence of certificates that links your server's certificate to a trusted root Certificate Authority (CA). It typically includes your end-entity certificate, one or more intermediate CA certificates, and optionally the root CA certificate.
Browsers need to verify your certificate by tracing it back to a trusted root CA. If intermediate certificates are missing, browsers may show security warnings or refuse to connect. A complete chain ensures all clients can verify your certificate.
Most certificates contain an Authority Information Access (AIA) extension with a URL pointing to the issuer's certificate. This tool reads the AIA extension and automatically fetches the intermediate certificates to build the complete chain.
If the tool cannot fetch certificates automatically (due to network issues or missing AIA URLs), it shows you the issuer information and where to find the certificate. You can then manually download it from your CA's website and upload it.
The standard order is: your server certificate first, followed by intermediate CA certificates in order, with the root CA last (optional). This tool automatically orders the chain correctly.
Generally no. Browsers and operating systems have root CA certificates built in. Including the root can slightly increase handshake size but usually doesn't cause problems. This tool includes it if available.
The downloaded PEM file contains all certificates in the correct order. For Apache/Nginx, use it as your certificate file or chain file. For other servers, consult their documentation on certificate chain configuration.
This tool accepts certificates in PEM format (Base64-encoded, with -----BEGIN CERTIFICATE----- headers). Most CAs provide certificates in this format. If you have DER format, use our Certificate Format Converter first.
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.