Certificate Chain Checker
Verify your SSL certificate chain, find missing intermediates, and get a correctly-ordered bundle
Check a Certificate Chain
Paste your certificate bundle, or enter a hostname to fetch and verify the chain a live server presents.
How to Check a Certificate Chain
Diagnose and fix chain issues in four steps.
Provide the chain
Paste your full PEM bundle (leaf + intermediates), or enter a hostname to fetch the chain a live server presents.
Check the order
The tool arranges certificates leaf → intermediate → root and flags anything out of order.
Fix the gaps
Missing-intermediate, expired, and unrelated-certificate problems are called out with how to fix them.
Deploy the bundle
Copy or download the corrected, correctly-ordered bundle and install it on your server.
Frequently Asked Questions
Common questions about SSL certificate chains.
Chrome and some browsers cache intermediate certificates they've seen before, so they can complete a chain your server doesn't send. Android, Java, curl, and many API clients do not — they fail if the intermediate is missing. That's why a chain can look fine in one place and broken in another. Always send the full chain (leaf + intermediates).
Leaf (your domain) first, then each intermediate, ending just before the root. Most servers (Nginx, Apache, HAProxy) require this exact order in the bundle. The root certificate should normally be omitted — clients already trust it.
No. Clients ship with trusted root certificates, so sending the root just adds bytes to the handshake. Send the leaf and intermediates only. This tool's corrected bundle excludes a self-signed root automatically.
The leaf (or end-entity) certificate is issued for your domain. Intermediates are issued by the root to the leaf, forming a chain of trust. The root is the self-signed certificate at the top that clients trust directly. Verification walks leaf → intermediate → root.
No. Pasted certificates are analyzed in server memory and discarded immediately. Host checks open a standard TLS connection to read the presented chain and nothing is logged or retained. Certificates are public information; private keys are never involved.