A certificate is trusted because it is signed by an intermediate certificate, which is signed by a root certificate that is already built into your browser or operating system. This linked sequence is the "chain of trust".
Browsers ship with a list of trusted root Certificate Authorities. Your site's certificate chains up to one of those roots through one or more intermediate certificates. If any link is missing or invalid, trust breaks.
Check your website
See how your site handles how ssl certificates work: the chain of trust — free, no account needed.
For business owners
Understanding the chain of trust explains a whole class of confusing errors: "certificate not trusted" on some phones but not others usually means an intermediate certificate is missing from what your server sends. Getting the chain right once, and automating it, prevents mysterious device-specific failures that erode customer confidence.
How it works (technical)
Trust is hierarchical:
- Root CA — a self-signed certificate pre-installed in browser/OS trust stores. Roots are kept offline and rarely used directly.
- Intermediate CA — signed by the root, used to issue end-entity certificates. This isolates the precious root.
- Leaf certificate — your website's certificate, signed by an intermediate.
During the TLS handshake your server must present the leaf and the intermediates. The browser verifies each signature up to a trusted root. Revocation is checked via CRL or OCSP.
Real-world example
A site worked in Chrome on desktop but showed "not trusted" on some older Android devices. The cause: the server only sent the leaf certificate. Those devices did not have the intermediate cached, so the chain could not be built. Adding the intermediate to the server's certificate bundle fixed it everywhere.
Why it matters
Incomplete chains, expired intermediates, and revoked certificates all cause trust failures that scanners flag and customers experience as broken padlocks. The chain is the mechanism behind every "is this certificate valid?" decision.
How to fix it
Always install the full chain (leaf + intermediate certificates) on your server.
Use a tool like SSL Labs to confirm the chain is complete and correctly ordered.
Enable OCSP stapling so revocation checks are fast and private.
Keep server software updated so it trusts current roots and intermediates.
Best practices
Serve intermediates in the correct order (leaf first, then intermediates).
Automate issuance so chains are always assembled correctly.
Monitor for upcoming root/intermediate transitions from your CA.
Common mistakes
Installing only the leaf certificate and omitting intermediates.
Serving certificates in the wrong order.
Ignoring CA notices about intermediate or root changes.
Frequently asked questions
Why do some devices show an error and others do not?
Usually a missing intermediate. Browsers that already cached the intermediate succeed; those that did not cannot complete the chain.
What is a root store?
The list of trusted root CAs shipped by your browser or operating system. Everything trusted chains back to one of these roots.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free