SSL Certificate Chain Checker
Check a live host or pasted PEM chain for missing issuers, hostname mismatch, expiry risk, weak crypto, and install-ready certificate bundles.{{ summaryHeading }}
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
| Priority | Action | Evidence | Copy |
|---|---|---|---|
| {{ row.priority }} | {{ row.action }} | {{ row.evidence }} |
| # | Role | Subject | Issuer | Expires | Days | Link | Key | Copy |
|---|---|---|---|---|---|---|---|---|
| {{ row.position }} | {{ row.role }} | {{ row.subject }} | {{ row.issuer }} | {{ row.validTo }} | {{ row.daysToExpiry }} | {{ row.linkStatus }} | {{ row.keyProfile }} |
{{ chainPem }}
| Type | Signal | Detail | Copy |
|---|---|---|---|
| {{ row.type }} | {{ row.signal }} | {{ row.detail }} |
Introduction:
Many TLS outages begin with a certificate that looks valid in isolation but cannot be trusted as part of the chain a client receives. The service certificate may be fresh and correctly named, yet a browser, API client, load balancer, mail gateway, or monitoring probe can still fail if the intermediate certificate is missing, the server presents the wrong virtual-host certificate, or the bundled file stops before clients can connect it to a trusted root.
A certificate chain is the path from the service certificate toward a trust anchor. The leaf certificate identifies the service and carries the public key used during the TLS handshake. Intermediate certificate authority certificates connect that leaf to a higher authority. A root certificate is usually already in the client trust store, so most web-server bundles send the leaf and intermediates but leave the root out unless a specific appliance or installer asks for it.
Several checks have to agree before a chain is ready to install. The leaf must cover the hostname or IP address being served. Each child certificate should name the next certificate as its issuer, and the parent public key should validate the child's signature. Every certificate must be within its validity window. The key and signature profile should be strong enough for current TLS use, and the leaf should be allowed for server authentication when Extended Key Usage is present.
- Live endpoint review
- Shows what the server actually presents for a hostname, port, and optional Server Name Indication value.
- PEM bundle review
- Shows whether pasted certificate blocks can be ordered, linked, and packaged before deployment.
- Install bundle review
- Checks whether the export includes the leaf and required intermediates, with root inclusion controlled by the destination's policy.
A connected path is still not the same as universal trust. Client root stores differ, private PKI can have local trust anchors, revocation checks may be enforced by some clients but not others, and clocks can be wrong. Chain review is strongest as a deployment preflight: it catches common packaging, naming, expiry, and cryptographic problems before a renewed certificate reaches production.
How to Use This Tool:
Choose the source that matches the certificate material you need to verify. Live host checks what a running TLS endpoint serves. PEM text checks certificate blocks before they are installed or sent to another team.
- Select Live host or PEM text. PEM mode expects one or more complete
-----BEGIN CERTIFICATE-----blocks. - For live checks, enter Host or URL. Use a hostname, URL, or
host:porttarget, then set Port only when the TLS listener is not on 443. - Set SNI override when a shared endpoint chooses certificates by virtual host. Set Expected hostname when PEM input needs a name check or when the service name differs from the connection target.
- Adjust Timeout and Max fetch depth only when a slow endpoint or missing issuer needs more time for CA Issuers recovery.
- Leave Include root certificate off for ordinary web-server bundles unless the destination explicitly asks for the root.
- Click Build chain. Fix invalid host, invalid PEM, timeout, or no-certificate errors before trusting any table, chart, or exported bundle.
- Start with Chain Review, then use Repair Plan, Certificate Steps, Certificate Expiry Ladder, and Validation Signals before copying or downloading from Install Bundle.
Interpreting Results:
COMPLETE means the assembled path reached a self-signed tail before the root export choice was applied. PARTIAL means path building stopped early, commonly because the parent was missing from the pasted set, no CA Issuers URL was available, a fetch failed, or the depth limit was reached.
- Action needed marks blocking issues such as incomplete chain, expired certificate, hostname mismatch, or failed parent signature validation.
- Review marks warnings such as not-yet-valid material, final-month expiry, issuer distinguished-name mismatch, weak key, weak signature, missing server-auth EKU, ignored extra certificates, or other warning text.
- Hostname mismatch means the leaf certificate does not cover the selected hostname or IP target, even when issuer links are connected.
- Root omitted usually means the chain reached a self-signed root but the export stops at the last intermediate because Include root certificate is off.
- Healthy means no blocking or warning signal was returned in this run. It does not prove every client trust store, revocation policy, or load-balanced node will accept the deployment.
Use the repair plan for change order, not the chart alone. Expiry runway is important, but a connected path with a wrong hostname or failed signature remains unsafe to ship.
Technical Details:
X.509 path building starts with the target certificate and searches upward for issuer certificates until it reaches a self-signed certificate or another stopping point. A candidate parent is not accepted by name alone. The child issuer distinguished name should match the parent subject distinguished name, and the parent public key must validate the child's signature. Similar names with different keys are not enough.
Hostname validation is a separate service-identity check. Subject Alternative Name entries are the normal identifiers for DNS names and IP addresses, and Server Name Indication can change the leaf certificate that a shared TLS listener presents. Extended Key Usage can also restrict a leaf certificate, so a server certificate that lists EKU values should include TLS Web Server Authentication or any-EKU.
Formula Core:
Expiry runway is calculated for each certificate from the current check time. The day count uses a ceiling operation so a certificate expiring later today still shows one day of runway rather than zero.
Negative values are expired. Values from 0 through 30 days are final-month warnings. The expiry badge is driven by the earliest available certificate expiry in the assembled path, while the chart plots each certificate separately.
Rule Core:
| Signal | Rule | Effect |
|---|---|---|
| Chain completeness | The path reaches a self-signed tail before the maximum fetch depth. | Incomplete paths trigger Action needed. |
| Hostname coverage | The leaf covers the expected DNS name or IP target. | Mismatch triggers Action needed. |
| Parent linkage | Issuer distinguished name and child signature validate against the next certificate. | Signature mismatch triggers Action needed; issuer-name mismatch triggers Review. |
| Validity period | Expired certificates block; not-yet-valid and final-month certificates warn. | Expired material triggers Action needed; timing warnings trigger Review. |
| Key strength | RSA, RSA-PSS, or DSA below 2048 bits is weak; EC below 224 bits is weak; Ed25519 and Ed448 are treated as modern. | Weak keys trigger Review. |
| Signature strength | MD2, MD4, MD5, and SHA-1 signatures are weak. | Weak signatures trigger Review. |
| Server-auth EKU | A leaf with EKU values should include TLS Web Server Authentication or any-EKU. | Missing server-auth EKU triggers Review. |
| Extra certificates | Parsed certificates outside the selected leaf-to-parent path are ignored. | Ignored certificates are reported so unused material is not silently exported. |
CA Issuers URLs in Authority Information Access can help recover missing parents. That recovery is useful for diagnosis, but a deployment that relies on clients fetching intermediates may still fail because many clients expect the server to send the necessary intermediates. A deployment-ready PEM bundle should match the destination's order and root-inclusion policy.
Privacy Notes:
Live-host checks send the target host, port, optional SNI value, expected hostname, timeout, root preference, and fetch depth to a server-side checker so it can open the TLS connection and assemble the chain. PEM mode sends the pasted certificate blocks for the same chain-building review.
- Use PEM mode only with certificate material you are allowed to submit for analysis.
- The checker may contact the target TLS endpoint and public CA Issuers URLs found in the certificates.
- The result is diagnostic evidence, not a complete client root-store audit, revocation guarantee, or proof that every deployed node serves the same chain.
Advanced Tips:
- Set SNI override to the exact virtual host when the connection target is an IP address, shared edge, or load balancer name.
- Use Expected hostname in PEM mode so the leaf certificate is checked against the service name instead of only being linked to its issuers.
- Raise Timeout before raising Max fetch depth when the error suggests a slow endpoint or CA Issuers URL rather than a long chain.
- Keep Include root certificate off for normal web-server bundles, then enable it only for platforms that explicitly require a root in the supplied file.
- After installing a repaired bundle, rerun Live host against each important hostname and port because PEM mode cannot prove what the endpoint is serving.
Worked Examples:
Missing intermediate on a live endpoint
Checking edge.example.com:8443 returns PARTIAL with a missing issuer warning. The fix is to install the correct intermediate on the endpoint, then run Build chain again until Certificate Steps shows verified parent links.
PEM bundle for the wrong service name
A pasted leaf plus intermediate can form a connected path while Expected hostname set to api.example.com reports Hostname mismatch. The chain may be well packaged, but the leaf is not valid for that service name.
Complete chain with root omitted
A successful live check can show Root omitted. That is often correct for a web-server export because clients already have the trusted root. Enable Include root certificate only when the receiving installer or appliance asks for it.
FAQ:
Does a complete chain guarantee every client will trust the service?
No. COMPLETE means the assembled path reached a self-signed tail. Client trust still depends on root stores, local policy, revocation handling, clock accuracy, pinning, and application rules.
Why can Live host and PEM text return different answers?
Live host checks what the endpoint serves over TLS. PEM text checks the certificate blocks you pasted. They can differ during renewals, staged rollouts, wrong SNI routing, or load-balanced deployments.
Why does hostname show as not checked?
PEM mode needs Expected hostname when there is no live host or SNI value to use as a target. Without a target name, the chain can be linked but hostname coverage cannot be evaluated.
Why were extra certificates ignored?
Certificates that do not fit the selected leaf-to-parent path are left out and reported as ignored. That keeps unused material from making the install bundle look cleaner than it is.
What should I do with invalid PEM or timeout errors?
For PEM input, paste complete certificate blocks with begin and end lines. For live checks, confirm the hostname and port, then raise Timeout only when the endpoint or issuer source is known to be slow.
Glossary:
- Leaf certificate
- The end-entity certificate presented for the service itself.
- Intermediate CA
- A certificate authority certificate that links the leaf certificate toward a trusted root.
- Trust anchor
- A root certificate or equivalent trusted CA entry accepted by a client before it sees the served chain.
- SNI
- Server Name Indication, the TLS extension that lets a shared endpoint choose a certificate for a hostname.
- AIA
- Authority Information Access, used here for CA Issuers URLs that may point to missing parent certificates.
- EKU
- Extended Key Usage, an extension that can restrict a certificate to server authentication or other purposes.
References:
- RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile, IETF, May 2008.
- RFC 4158: Internet X.509 Public Key Infrastructure Certification Path Building, IETF, September 2005.
- RFC 6066: Transport Layer Security Extensions, IETF, January 2011.
- RFC 9525: Service Identity in TLS, IETF, November 2023.
- NIST SP 1800-16B: Securing Web Transactions: TLS Server Certificate Management, NIST NCCoE, June 2020.
- How to check SSL certificate expiration with cURL, Simplified Guide.