Understanding Certificate Chains: Root, Intermediate, and Leaf

Learn how the certificate chain of trust works — from the leaf certificate on your server up through intermediates to a root CA your browser trusts.

When a browser validates an SSL certificate, it doesn't just look at the certificate on the server. It follows a chain of trust — a series of certificates that link back to a root CA your browser already trusts. Understanding that chain is essential for debugging SSL errors.

The Three Layers

Root Certificate

Root certificates sit at the top of the hierarchy. They are self-signed — the issuer and subject are the same entity. Browser and OS vendors maintain a trust store: a curated list of root CAs they've vetted and decided to trust. Root certificates are rarely used to sign end-entity certificates directly because exposing root keys is a major security risk.

Intermediate Certificate

Intermediate certificates are signed by the root (or by another intermediate) and used to sign end-entity certificates day-to-day. If an intermediate is compromised, the CA can revoke it without affecting the root. Most modern CAs operate several intermediates. If an intermediate is missing from your server configuration, browsers will show an intermediate certificate missing error.

Leaf (End-Entity) Certificate

The leaf certificate is what's installed on your web server. It contains your domain name (in the Subject Alternative Names), your public key, and is signed by an intermediate CA. It has CA:FALSE in its Basic Constraints — it cannot sign other certificates.

How the Chain Validation Works

  1. Browser receives the leaf certificate from the server.
  2. Browser checks the leaf's issuer — finds the matching intermediate certificate (either sent by the server or cached).
  3. Browser checks the intermediate's issuer — finds the root in its trust store.
  4. Browser verifies each signature in the chain using the issuer's public key.
  5. If every signature is valid and the root is trusted, the chain is valid.

Why Chains Fail

Common chain problems include:

  • Missing intermediate — server only sends the leaf. Fix: install the full chain on your server.
  • Untrusted root — the root CA isn't in the browser's trust store (common with private/internal CAs).
  • Wrong order — certificates sent in the wrong sequence.

Decoding a Full Chain

Our SSL Certificate Decoder accepts a full PEM chain — just paste all certificates one after another. The decoder will parse each certificate in the chain, show its position, and highlight whether it's a CA certificate.

Decode any SSL certificate instantly

Paste any PEM certificate into the free decoder — see subject, issuer, SANs, fingerprints, validity dates, and all X.509 extensions explained in plain English.

Open the Decoder
All articles