Certificate Chain Explained

A certificate chain (also called a trust chain or chain of trust) is the sequence of certificates that links your server's SSL certificate back to a trusted root Certificate Authority. Browsers maintain a built-in list of trusted root CAs and will trust any certificate that chains to one of those roots.

The Three Tiers

• Root CA certificate: The top of the chain. Self-signed. Embedded in operating systems and browsers. These are guarded carefully — root keys are stored in hardware security modules (HSMs) in air-gapped facilities.
• Intermediate CA certificate: Issued by the root CA. The CA uses intermediate certificates to sign end-entity certs so the root key never has to be brought online. If an intermediate is compromised, it can be revoked without revoking the root.
• Leaf (end-entity) certificate: Your server's certificate. Issued by the intermediate CA. This is the certificate you paste into the decoder.

Why Intermediate CAs Exist

Root CAs are kept offline to protect their private keys. If a CA signed leaf certificates directly with the root key and that key were ever compromised, every certificate the CA had ever issued would be suspect. Intermediates act as a buffer — a CA can have many active intermediates, and if one is compromised, only certificates from that intermediate need to be revoked.

Sending the Full Chain

When configuring a TLS server (Nginx, Apache, etc.), you typically need to send the leaf certificate plus all intermediate certificates in one file. If you omit the intermediates, clients that haven't cached the intermediates will see an "incomplete chain" or "unable to get local issuer certificate" error. Let's Encrypt's fullchain.pem file already includes both the leaf and the intermediate(s).

Chain Validation in the Decoder

Paste a full certificate chain (multiple PEM blocks) into the decoder and each certificate in the chain will be decoded separately. Look at the Basic Constraints extension — intermediate CA certificates will show CA:TRUE, while the leaf certificate shows CA:FALSE. If your chain is incomplete, see the missing intermediate certificate guide. Certificate chain files are typically in PEM format — multiple PEM blocks concatenated in a single file.