Certificate Chain Validator

You have a bundle of SSL certificates and need to verify that the chain is complete and correctly ordered — leaf certificate first, intermediates next, root CA last. This tool parses the chain and validates each link.

What Gets Checked

1. Chain order: Each certificate’s Issuer must match the next certificate’s Subject
2. Expiration: Flags expired certificates and those expiring within 30 days
3. Self-signed root: The last certificate should be self-signed (Subject equals Issuer)
4. Completeness: Warns if the chain appears incomplete (e.g., missing intermediate)
5. Duplicates: Detects duplicate certificates in the chain

How to Extract a Certificate Chain

# Full chain from a live server
echo | openssl s_client -showcerts -connect example.com:443 2>/dev/null

# From a PEM bundle file
cat fullchain.pem

Chain Structure

A typical certificate chain has three levels:

[Leaf Certificate]     ← Your domain's certificate
  └── signed by →
[Intermediate CA]      ← Certificate Authority's intermediate
  └── signed by →
[Root CA]              ← Trust anchor (self-signed)

Web servers should send the leaf and intermediate certificates. The root CA is usually pre-installed in browsers and operating systems.

Frequently Asked Questions

Does this verify cryptographic signatures? This tool validates the chain structure (issuer/subject matching, order, expiration). Full cryptographic signature verification requires the complete trust store, which is beyond browser-based processing.

What format is expected? PEM format — one or more certificate blocks starting with -----BEGIN CERTIFICATE-----.

How is this different from the SSL Certificate Decoder? The decoder shows detailed fields of individual certificates. The chain validator checks the relationships between certificates in a chain.