Certificate Chain Checker
Verify the complete SSL certificate chain including intermediate and root certificates.
About SSL Certificate Checker
Comprehensive SSL/TLS certificate analyzer that validates certificate chains, checks expiration dates, and verifies hostname matching from multiple global locations.
Key Features
Multi-region SSL validation
Certificate chain verification
Expiration monitoring
TLS version detection
Hostname validation
An incomplete certificate chain is one of the most frustrating SSL issues because it works on some devices but fails on others. Browsers cache intermediate certificates, so your site might load fine on your laptop while mobile users see security errors.
Our chain checker validates that your server sends the complete certificate chain: your domain certificate plus all required intermediate certificates. We test from multiple regions to catch edge-specific chain issues common with CDN deployments.
**Methodology:** Full certificate chain extraction and validation against trusted root CAs from 6 global probe locations.
Common SSL Errors & How to Fix Them
4 relevant issuesWorks in some browsers but fails in others. Mobile devices often affected first.
Include the intermediate certificate bundle when configuring SSL. Download the full chain from your CA and concatenate: your cert + intermediate(s). Test with openssl s_client -connect domain:443 -servername domain.
Chain is present but certificates are in incorrect order. Some clients may fail.
Reorder your certificate bundle: leaf certificate first, then intermediate(s), optionally root last. Do not include root CA for public sites. Regenerate your combined .pem or .crt file in the correct order.
Certificate not issued by a trusted CA. Browser shows ERR_CERT_AUTHORITY_INVALID.
Replace with a certificate from a trusted CA. Free options: Let's Encrypt (certbot), Cloudflare Origin CA. For internal services, add your CA to client trust stores or use a proper internal PKI.
SSL works from some locations but fails from others. Common with CDNs and multi-origin setups.
Check all CDN edge locations have the same certificate deployed. Verify origin server certificate matches CDN. Purge CDN cache after certificate updates. Check if geo-routing serves different origins.
Frequently Asked Questions
4 relevant questionsAn intermediate certificate bridges the trust between your SSL certificate and the root CA (Certificate Authority) in browser trust stores. Without it, browsers can't verify your certificate's authenticity, causing "connection not private" errors. Some browsers cache intermediates, so the error may appear on some devices but not others. Always include your CA's intermediate certificate bundle.
Your server is sending only the end-entity (leaf) certificate without intermediate certificates. Browsers need the full chain to verify trust back to a root CA. Fix by concatenating your certificate with intermediate certificates in this order: your cert → intermediate(s) → (optional root). Most CAs provide a "full chain" or "bundle" file for this purpose.
The correct order is: your domain certificate (leaf) first, then intermediate certificate(s), then optionally the root CA. Never include the root CA for public-facing sites as browsers already have it. For nginx: ssl_certificate should point to a file containing your cert + intermediates concatenated. For Apache: use SSLCertificateFile and SSLCertificateChainFile.
CDNs and load balancers often serve different SSL certificates at different edge locations. A certificate might be properly deployed in US data centers but expired or misconfigured in European nodes. Regional mismatches can also occur during certificate renewals if not all edges are updated simultaneously. Multi-region testing catches these inconsistencies before they affect users.
Related Tools
View All Tools →Related Tools
Global Infrastructure Verification
Verify SSL certificates, DNS records, and connectivity from 6+ regions worldwide. Get automated monitoring, expiry alerts, and full API access.