What Is a Certificate Chain?
A certificate chain is a sequence of certificates where each certificate is signed by the next one in the chain, starting from the end-entity (server) certificate and ending at a trusted root certificate. This chain establishes the trust relationship that browsers need to verify your server's identity.
The Three Levels
Root CA Certificate — The top of the trust hierarchy. Root certificates are self-signed and pre-installed in browsers and operating systems. They are kept offline in secure facilities and rarely used to sign certificates directly.
Intermediate CA Certificate — Issued by the root CA, intermediate certificates act as a bridge between the highly-protected root and the end-entity certificates. A single root may have multiple intermediates for different purposes or regions.
End-Entity (Leaf) Certificate — This is your server's certificate, signed by an intermediate CA. It contains your domain name, public key, and other identifying information.
Why Intermediate Certificates Matter
If you only install your end-entity certificate without the intermediates, browsers cannot build the trust chain back to the root, resulting in "certificate not trusted" errors. Always include all intermediate certificates in your server configuration.
Proper Chain Configuration
For most web servers, you should create a full chain file that includes:
- Your end-entity certificate (at the top)
- All intermediate certificates (in order)
The root certificate is usually optional since browsers already have it, but including it doesn't hurt.