Learning how to verify a certificate chain is important especially if you installed a new SSL certificate on your server. You do not want a visitor being prompted with certificate warning messages as they are browsing your site. This will not lead to a good experience and will cause visitors to not trust your website.

What is a Certificate Chain

A certificate chain is a number of certificates starting from the root certificate to the end-user certificate. This ensures a trusted and encrypted connection between your website and your visitors. Typically you will have multiple intermediate certificates depending on the issuer you obtained your SSL certificate from.

Verify the Chain Online

You can verify that the certificate chain is installed correctly by using an online diagnostic tool such as the one by Digicert. Simply input your domain name and it will check your SSL certificate and ensure it is installed correctly to include the full chain. You can also utilize this tool to check specific ports and subdomains such as imap.yourdomain.com. There is also an option to search for vulnerabilities such as Heartbleed etc.

Verify the Certificate on a Web Server

You can also use OpenSSL via SSH to verify that your certificate(s) are installed correctly. Certificates are normally stored in PEM format (.pem) and can be installed within your web server, email server, etc. It is important to verify that the bundle is correctly installed anywhere you are utilizing it. The below basic OpenSSL command will verify the certificate on your system.

openssl verify certificate.pem


You can also utilize -capath and -cafile to specify the CA if its not already set up to use an installed set of root certificates.