Fixing SSL Incomplete certificate chain error

What impact does the “Incomplete Certificate Chain” error have on your website? A missing chain certificate can indirectly cause problems related to the security of your website, and could impact your visitors’ ability to reach your website on certain mobile devices (mostly Android).

Fortunately, your hosting provider/certificate supplier can easily fix the Incomplete Certificate Chain for you. Still, it might be interesting to know why this occurs in the first place.

Chain of Trust: When is a certificate considered trustworthy?

Security via SSL is based on the Chain of Trust. In the chain of trust, certificates are issued and signed by certificates that are higher up in the hierarchy. This hierarchy verifies the validity of a certificate’s issuer.

For an SSL certificate to be considered trustworthy, it must have been issued by a certificate authority (CA) that is included in the trusted store of the connecting device.

Root Certificate from Certificate Authorities (e.g. DigiCert)

Certificate Authorities are trusted organizations that verify websites, to confirm the identity of the person/entity you are communicating with. The core tasks of CA’s include:

  • Domain validation – verifying that the domain is owned by the person/entity who requested the domain validation.
  • Organization validation – verifying that the business is legitimate by reviewing the information provided by the requestor, and using additional information to ensure the legitimacy of the provided information.
  • Extended validation (deprecated) – validation process that goes beyond organization validation by taking an extensive look at the requestor’s organization: operational existence, physical address verification, verification by phone call, etc.

Web browsers contain a built-in list of CA identities using root certificates from the CA. This allows the browser to identify and accept the CA-issued SSL certificate. The root certificate has extremely strict security guidelines because any certificate signed using its private key will automatically be trusted by browsers.

Intermediate Certificate

Root certificates are used to digitally sign intermediate certificates, essentially transferring a part of its “trust” to the intermediate. The signature comes from the root certificate’s trusted private key, making it trusted by the browser.

CA’s do not issue certificates directly from their roots, instead, they add layers of security by issuing intermediate certificates and then signing the certificates using those. This means that in the (unlikely) event where a wrongly issued certificate has to be revoked, the intermediate certificate can be revoked: which solely causes the group of certificates issued off that intermediate to become untrusted, instead of invalidating the entire root certificate.

Server Certificate (domain-specific)

The server certificate is issued to a specific domain. It is used to authenticate the server to which it has been issued and to facilitate secure HTTPS connections. The server certificate ensures that visitors are able to connect securely without worrying about possible malicious interference.

Reasons why the Incomplete Certificate Chain error may occur

The server certificate is signed by the intermediate, and the intermediate is signed by the root certificate, which can be identified by the browser. This makes the validation complete successfully: as the entire certificate chain is trusted.

If the certificate is not provided by a trusted authority, or the certificate from the CA is not found in the built-in trust list, this indicates an issue with the SSL certificate chain. In these cases, your visitors might receive an “incomplete chain” error when visiting your website over HTTPS/SSL.

You can verify whether the certificate chain on your webserver is complete, by testing the site with a tool such as SSL Labs:

How to fix the Incomplete Certificate Chain

In almost all cases, we recommend contacting your hosting provider to fix the “Incomplete certificate chain” issue. This is often the simplest solution, as your hosting provider can help you obtain the necessary intermediate certificate(s) and add these to your configuration.

Alternatively, you can manually generate the intermediate certificate by using a tool such as What’s My Chain Cert?. Paste the contents of your current SSL certificate (.crt) in the input field under Generate the Correct Chain, after which you can click the Generate Chain button to download the correct Intermediate certificate/CA Bundle.

You can now install the correct Intermediate certificate/CA Bundle in your web hosting control panel (e.g. cPanel/Plesk). The exact steps will depend on the control panel being used, but you can typically navigate to the SSL/TLS section, find your currently installed SSL certificate, and enter the new Intermediate certificate in the input field labeled “CA Bundle”.

Please find further instructions on how to install SSL certificates on commonly used web hosting control panels below:

Lightweight plugin, Heavyweight Security features. Get Pro and leverage your SSL certificate for WordPress security standards.