SSL chain checker

Verify the full certificate chain, not just the leaf — catch missing intermediates.

Switch on SJ Monitor SSL monitoring to be warned before a certificate expires or the chain breaks. Start free →

This SSL chain checker validates the entire certificate chain your server presents, from the leaf certificate up through every intermediate to a trusted root. It is built to catch the common case where the leaf is fine but an intermediate is missing, which some browsers tolerate and others reject outright. You will see each certificate in order, its issuer, and its expiry, so you can confirm the chain is complete and correctly ordered. Since certificates expire and intermediates change, SJ Monitor's SSL monitoring keeps verifying the chain and warns you ahead of time.

Frequently asked questions

Why does my certificate work in one browser but not another?

Usually an intermediate certificate is missing from what your server sends. Some clients fill the gap automatically while others fail, which this checker flags directly.

What is a certificate chain?

It is the ordered set of certificates linking your site's leaf certificate to a trusted root through one or more intermediates. Every link must be present and valid for clients to trust it.

How do I avoid surprise certificate expiries?

Manual checks are easy to forget. SJ Monitor's SSL monitoring continuously tracks expiry across the chain and alerts you well before anything lapses.

How do I fix a missing intermediate certificate?

Configure your server to send the full chain — concatenate the intermediate(s) with your leaf certificate in the certificate file (fullchain.pem if you use Let's Encrypt). The checker shows exactly which link is absent.

What order should certificates be in?

Leaf first, then each intermediate in ascending order toward the root; the root itself doesn't need to be sent since clients already trust it. Wrong ordering causes some clients to reject the chain.

Why does the root certificate not need to be served?

Trusted roots are already built into operating systems and browsers, so resending one wastes bytes and is sometimes ignored. Your server only needs to supply the leaf and the intermediates that bridge to that trusted root.

More SSL/TLS & security tools tools

Certificate decoder CSR decoder HSTS checker Mixed content checker Security headers grade SSL certificate checker TLS / cipher scan
All SSL/TLS & security tools tools → · Browse every tool →

Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.

Share this tool: X LinkedIn Facebook Reddit Email

We use essential cookies to run SJ Monitor (sign-in, security). See our privacy policy.