DevTulz Online

SSL Certificate Chain Builder

Leaf Certificate (PEM format)

What is a Certificate Chain?

An X.509 certificate chain (also called a chain of trust) links your server's SSL/TLS certificate back to a trusted root Certificate Authority (CA) through one or more intermediate certificates. Browsers and clients verify this entire chain before trusting a connection. If any intermediate certificate is missing from your server's configuration, clients may show SSL errors even though your leaf certificate is valid. This tool automatically reconstructs the full chain by reading the Authority Information Access (AIA) extension in each certificate and fetching the issuer certificate from the URL embedded in that extension — repeating until it reaches a self-signed root CA.

How to Use the Certificate Chain Builder

  1. Export your server certificate in PEM format (the file containing -----BEGIN CERTIFICATE-----) from your web server, load balancer, or certificate provider.

  2. Paste the PEM-encoded certificate into the input field.

  3. Click 'Build Chain' — the tool reads the AIA extension and fetches intermediate certificates automatically.

  4. Review the full chain displayed below: leaf certificate, intermediates, and root CA.

  5. Each certificate shows subject, issuer, validity dates, serial number, and signature algorithm.

  6. Click 'Copy Chain' or 'Download Chain' to get the concatenated PEM bundle ready to deploy on your server.

Frequently Asked Questions

Why do I get an SSL error even though my certificate is valid? The most common cause is a missing intermediate certificate. Browsers require the full chain from your leaf certificate up to a trusted root CA. If your server only sends the leaf certificate, clients that don't have the intermediate cached will fail to verify the chain.

What is the AIA (Authority Information Access) extension? The AIA extension is an X.509 certificate field that contains URLs where clients can download the issuer's certificate. This tool reads those URLs and fetches each intermediate certificate automatically to build the complete chain.

What does 'Chain incomplete: No AIA extension found' mean? Some root or intermediate certificates don't include AIA URLs, usually because they expect the issuer to be in the client's trust store. If the chain stops early, check your certificate provider's documentation for the intermediate certificate download link.

How do I install the full chain on my server? Download the chain PEM file and configure your server to use it as the certificate bundle. In Nginx, set ssl_certificate to the full chain file. In Apache, use SSLCertificateChainFile. In HAProxy, concatenate the leaf certificate and chain into a single PEM file.

Keywords: certificate chain builder, X.509 certificate chain, SSL certificate chain, TLS certificate chain, intermediate certificate, certificate authority, AIA extension, build certificate chain