Certificate Chain: a beginner's guide
Validate SSL certificate chain
Certificate chains: why some browsers say your site is broken and others don't
An SSL certificate chain (also called a certificate path) is the linked list of certificates that connects the certificate on your web server all the way back to a root certificate authority that the browser trusts. Your server's certificate is signed by an intermediate CA, which is itself signed by another intermediate (sometimes a third), which is finally signed by a root CA in the browser's trust store. The browser walks this chain at the start of every connection to verify that the certificate is legitimate. If any link in the chain is missing, the browser cannot complete the verification, and the certificate is treated as untrusted — even if the underlying certificate is perfectly valid.
You should care because broken certificate chains are the source of the most-frustrating SSL bug in production: "the site works on my Mac but not on my Android phone," or "works on Chrome but not on Firefox." The reason is that different browsers ship with slightly different sets of intermediate CAs. Chrome on macOS might already have the missing intermediate cached from a previous site, so it stitches the chain together silently. Firefox on Linux might not, so it shows a full-page warning. The certificate is the same in both cases. The chain configuration on the server is what differs.
The five things every chain check looks at:
Does the server send the full chain? The web server should send your leaf certificate plus every intermediate, but not the root. Sending only the leaf is the most common bug.
Are the intermediates current? Intermediate CAs are reissued on a slower schedule than leaf certificates and occasionally change.
Is the chain ordered correctly? From leaf to intermediate to (optionally) cross-signing intermediate, in that exact order.
Are there any cross-signing certificates? Some chains have alternative paths through different roots for compatibility with older devices.
Are there any expired or revoked links? Even one expired intermediate breaks the entire chain.
Three questions a chain check answers:
Is my server sending the complete certificate chain, or only the leaf?
Did the intermediate certificate change after my last cert renewal, in a way I didn't notice?
Is my chain valid in every major browser, or only in some?
The cost of a broken chain is silent partial outage: a fraction of your visitors get warnings while the rest see your site normally. The fix is to update the server's `certificate.crt` file to include all intermediates, in the right order. Most modern certificate-issuance tools (Certbot, Caddy, the Let's Encrypt clients) handle this automatically — but the bug still appears in production all the time, especially after manual cert installations.
The Certificate Chain endpoint, in plain language
In one sentence: Validate SSL (Secure Sockets Layer) certificate chain
Validates the SSL/TLS certificate chain for a domain by performing a TLS (Transport Layer Security) handshake and enriching with certificate details from Certificate Transparency logs. Returns the leaf certificate with SANs, expiration, key type, and issuer chain, plus automated issue detection.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Performs a TLS (Transport Layer Security) handshake to confirm the certificate chain is trusted, then retrieves certificate metadata from Certificate Transparency logs (crt.sh). Returns the leaf certificate details including subject, issuer, SANs, validity dates, days until expiration, key type, and certificate validation level (DV/OV/EV). Detects issues like expired certificates, certificates expiring soon, self-signed leaves, and weak signature algorithms.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Certificate Chain tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Expired or misconfigured certificates cause outages and browser warnings. This endpoint lets you monitor certificate expiration, verify deployments, and audit certificate security — all from a single API (Application Programming Interface) call. The daysRemaining field enables proactive alerting before certificates expire.
Picture this in real life. Imagine a system administrator. Here's the situation they're walking into: Users report certificate warnings. Check if intermediate certificates are properly installed. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Certificate Chain tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Certificate Chain tool is built for you:
Is my website encrypted properly, or are visitors going to see a scary browser warning?
Am I missing any of the security headers that modern browsers expect?
Could a known weakness on my site quietly be costing me trust, traffic, or compliance?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders and freelancers running their own sites, agencies handing off projects to clients, security and compliance teams chasing audit findings, and developers hardening login pages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and visitors get browser warnings, search engines lose trust in your site, and a single missed setting can become a public security incident. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/domain/cert-chain`.
When would I actually use this?
If you're still on the fence about whether the Certificate Chain tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a system administrator, a devops engineer, and a security auditor — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: SSL Troubleshooting
Imagine you're a system administrator. Users report certificate warnings. Check if intermediate certificates are properly installed.
Why it matters: Diagnose certificate chain issues causing browser warnings.
Story 2: Certificate Deployment Verification
Imagine you're a devops engineer. After deploying new certificates, verify the complete chain is properly configured.
Why it matters: Catch certificate deployment issues before they affect users.
Story 3: Security Assessment
Imagine you're a security auditor. Audit certificate chain configuration as part of infrastructure security review.
Why it matters: Document certificate chain security for compliance reporting.
Story 4: Certificate Expiration Monitoring
Imagine you're a devops engineer. Monitor certificate expiration across your domains using the daysRemaining field to trigger alerts before certificates expire.
Why it matters: Prevent outages caused by expired certificates with proactive monitoring.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Certificate Chain tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
After every site redesign or platform migration.
Before a penetration test, security review, or vendor questionnaire.
When your SSL certificate is about to expire and you want to confirm the renewal worked.
On a recurring monthly schedule, so you catch new issues before attackers do.
If you can see yourself in even one of those bullets, the Certificate Chain tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Certificate Chain tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Certificate Chain tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/cert-chain?domain=example.com"What you need to provide
You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to validate certificate chain for | example.com |
port | number | Optional | Port to connect to (default: 443) | 443 |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
port | number | The port used for connection |
chain | array | Certificates in the chain ordered from leaf to root |
chain[].position | number | Zero-indexed position in the chain |
chain[].type | string | Certificate type: leaf, intermediate, or root |
chain[].subject | string | Certificate subject (common name) |
chain[].issuer | string | Certificate issuer |
chain[].validFrom | string | null | Certificate validity start date (ISO 8601), or null if unavailable |
chain[].validTo | string | null | Certificate validity end date (ISO 8601), or null if unavailable |
chain[].daysRemaining | number | null | Days until certificate expires, or null if validity date is unavailable |
chain[].serialNumber | string | null | Certificate serial number, or null if unavailable |
chain[].signatureAlgorithm | string | Signature algorithm (e.g., SHA256withRSA) |
chain[].keyType | string | null | Key type: RSA, ECDSA, or null if unknown |
chain[].certificateType | string | Certificate validation level: DV, OV, EV, or null |
chain[].san | array | Subject Alternative Names (domains covered) |
chain[].isCA | boolean | Whether this is a CA certificate |
chain[].isSelfSigned | boolean | Whether the certificate is self-signed |
isComplete | boolean | Whether the chain is complete |
hasValidRoot | boolean | Whether chain leads to a trusted root CA |
chainLength | number | Number of certificates in the chain |
issues | array | Chain validation issues: expired, expiring_soon, not_yet_valid, self_signed_leaf, weak_signature, domain_name_mismatch, chain_partial, chain_incomplete |
timestamp | string | ISO 8601 timestamp of when the analysis was performed |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
SSL (Secure Sockets Layer) — The original encryption used by HTTPS. The name stuck even though every modern site actually uses TLS, the newer replacement.
TLS (Transport Layer Security) — The encryption that puts the 'S' in HTTPS. It scrambles data so nobody between you and a website can read it.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.