Certificate Chain and Trust Issues

Certificate chain problems manifest as trust errors, with browsers unable to verify the certificate's authenticity. Messages like "NET::ERR_CERT_AUTHORITY_INVALID" or "SEC_ERROR_UNKNOWN_ISSUER" indicate missing intermediate certificates or untrusted root certificates. These errors frustrate users because the certificate itself may be valid, but improper installation prevents verification.

Intermediate certificates bridge the gap between server certificates and trusted root certificates. Certificate authorities rarely sign server certificates directly with root certificates, instead using intermediate certificates for operational flexibility. Servers must present the complete chain from their certificate through intermediates to a trusted root. Missing intermediate certificates break this chain, causing trust failures.

Diagnosing chain issues requires understanding the certificate hierarchy. SSL testing tools like SSL Labs' SSL Test analyze certificate chains, identifying missing or incorrectly ordered certificates. Command-line tools provide detailed chain information, showing each certificate in the path. Comparing the presented chain against the CA's documented chain reveals missing components.

Proper chain configuration varies by server software but follows common principles. Certificates must be concatenated in order from server certificate to root, though the root certificate itself shouldn't be included as browsers maintain their own root stores. Some servers require separate configuration directives for intermediate certificates, while others expect a single chained file. Testing across multiple browsers ensures broad compatibility.