What impact does the “Incomplete Certificate Chain” error have on your website? A missing chain certificate can indirectly cause problems related to the security of your website, and could impact your visitors’ ability to reach your website on certain mobile devices (mostly Android).
Fortunately, your hosting provider/certificate supplier can easily fix the Incomplete Certificate Chain for you. Still, it might be interesting to know why this occurs in the first place.
Chain of Trust: When is a certificate considered trustworthy?
Security via SSL is based on the Chain of Trust. In the chain of trust, certificates are issued and signed by certificates that are higher up in the hierarchy. This hierarchy verifies the validity of a certificate’s issuer.
For an SSL certificate to be considered trustworthy, it must have been issued by a certificate authority (CA) that is included in the trusted store of the connecting device.
Root Certificate from Certificate Authorities (e.g. DigiCert)
Certificate Authorities are trusted organizations that verify websites, to confirm the identity of the person/entity you are communicating with. The core tasks of CA’s include:
- Domain validation – verifying that the domain is owned by the person/entity who requested the domain validation.
- Organization validation – verifying that the business is legitimate by reviewing the information provided by the requestor, and using additional information to ensure the legitimacy of the provided information.
- Extended validation (deprecated) – validation process that goes beyond organization validation by taking an extensive look at the requestor’s organization: operational existence, physical address verification, verification by phone call, etc.
Web browsers contain a built-in list of CA identities using root certificates from the CA. This allows the browser to identify and accept the CA-issued SSL certificate. The root certificate has extremely strict security guidelines because any certificate signed using its private key will automatically be trusted by browsers.
Root certificates are used to digitally sign intermediate certificates, essentially transferring a part of its “trust” to the intermediate. The signature comes from the root certificate’s trusted private key, making it trusted by the browser.
CA’s do not issue certificates directly from their roots, instead, they add layers of security by issuing intermediate certificates and then signing the certificates using those. This means that in the (unlikely) event where a wrongly issued certificate has to be revoked, the intermediate certificate can be revoked which solely causes the group of certificates issued off that intermediate to become untrusted, instead of invalidating the entire root certificate.
Server Certificate (domain-specific)
The server certificate is issued to a specific domain. It is used to authenticate the server to which it has been issued and to facilitate secure HTTPS connections. The server certificate ensures that visitors are able to connect securely without worrying about possible malicious interference.
- Reasons why the Incomplete Certificate Chain error can occur
The server certificate is signed by the intermediate, and the intermediate is signed by the root certificate, which can be identified by the browser. This makes the validation complete successfully as the certificate chain is trusted.
If the certificate is not provided by a trusted authority or the certificate from the CA is not found in the built-in trust list, this indicates an issue with the SSL certificate chain. In these cases, your visitors might get an “incomplete chain” error.
Verify that the certificate chain on your webserver is complete by testing this with a tool such as SSL Labs’ Test: https://www.ssllabs.com/ssltest/
- How to fix the Incomplete Certificate Chain
In almost all cases, it would be advisable to contact your hosting provider to fix the Incomplete certificate chain issue. Your hosting provider can help you obtain the necessary intermediate certificates and add them to your configuration.
Alternatively, you can opt to generate the intermediate certificate with the use of an online tool such as What’s My Chain Cert?. You can then upload the newly generated certificate file and install the SSL certificate to your webserver.