What's My Chain Cert?

By SSLMate

Did you know that when you install an SSL certificate, you have to install not only your site's certificate, but also one or more intermediate (a.k.a. chain) certificates? Failure to install the correct chain can cause certificate errors in browsers, driving visitors away from your site. To complicate matters, some browsers cache intermediate certificates, or download missing intermediates on-demand, meaning that an improperly-configured chain could work in some browsers but not others, making this an annoying problem to debug. Plus, when you renew your certificate, you might need to install new intermediate certificates.

This site tests if your server is serving the correct certificate chain, tells you what chain you should be serving, and helps you configure your server to serve it.

Test Your Server

Checks port 443 (HTTPS) by default. For a different port, specify it with the hostname like: example.com:993

Generate the Correct Chain

The generated chain will include your server's leaf certificate, followed by every required intermediate certificate, optionally followed by the root certificate.

Include the Root Certificate?

You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores. Including the root is inefficient since it increases the size of the SSL handshake.

A separate chain that includes the root certificate is sometimes used for other purposes, such as OCSP stapling. Such advanced configuration is beyond the scope of this guide, although the generator will generate such chains if you check the "Include Root Certificate" box.

Configure Your Server

Note: some software requires you to put your site's certificate chain (e.g. example.com.chained.crt) and your private key (e.g. example.com.key) in separate files, while other software requires you to put them in the same file.

You can generate the combined file (example.com.combined.pem) with a command such as:

cat example.com.key example.com.chained.crt > example.com.combined.pem

Contribute config templates


SSLEngine on

SSLCertificateKeyFile /path/to/example.com.key

SSLCertificateFile /path/to/example.com.chained.crt


ssl on;

ssl_certificate_key /path/to/example.com.key;

ssl_certificate /path/to/example.com.chained.crt;


ssl.engine = "enable"

ssl.pemfile = "/path/to/example.com.combined.pem"


key = /path/to/example.com.key

cert = /path/to/example.com.chained.crt


key /path/to/example.com.key

cert /path/to/example.com.chained.crt

Dovecot 2

ssl_key = </path/to/example.com.key

ssl_cert = </path/to/example.com.chained.crt


smtp_tls_security_level = may

smtpd_tls_security_level = may

smtpd_tls_key_file = /path/to/example.com.key

smtpd_tls_cert_file = /path/to/example.com.chained.crt


ssl = {

key = "/path/to/example.com.key";

certificate = "/path/to/example.com.chained.crt";


Don't forget to restart your server software after changing its configuration!

Make Sure Your Site Stays Fixed

Cert Spotter monitors your entire SSL certificate portfolio and alerts you about security and availability problems like incorrect certificate chains and unauthorized or expiring certificates.