If you have ever opened your site on an iPhone and seen “This Connection Is Not Private,” while Chrome on your laptop looks fine, you have run into a broken SSL certificate chain. The browser does not trust something in the middle.
This guide explains what the chain actually is, why it sometimes breaks, and how to check and fix it without needing to be a security engineer.
Why SSL exists in the first place
SSL (or more accurately TLS, its modern successor) does two things. It encrypts traffic between the browser and your server so nobody in the middle can read it, and it proves to the browser that your site is actually your site and not a clever imitation.
The first job is handled by the encryption keys. The second job is handled by the certificate chain.
The three parts of the chain
A certificate chain is a list of three kinds of certificate, working from the most trusted down to the least.
- Root certificate. Owned by a certificate authority like Let’s Encrypt, DigiCert, or Sectigo. These are baked into every browser on earth. The browser trusts them by default.
- Intermediate certificate. Issued by the root. Acts as the middle rung. Roots do not directly sign customer certificates, for security reasons.
- Leaf (or server) certificate. The one your site owns. Issued by the intermediate. It has your domain name on it.
How the browser checks the chain
When a visitor hits your HTTPS site, the server sends back the leaf certificate plus any intermediates. The browser then asks: is the leaf signed by a certificate I recognise? If not, can the thing that signed it be traced back to a root I trust?
If the chain is complete, the padlock shows. If the browser cannot walk from your leaf up to a trusted root, it shows a warning. That is almost always because an intermediate certificate is missing from what the server sends.
Why the chain breaks
Three common causes account for most real-world chain errors:
- The host forgot to install the intermediate. Some control panels only ask for the leaf certificate.
- The intermediate was installed but in the wrong order. TLS is picky about order.
- An intermediate has expired or been reissued. Certificate authorities rotate intermediates every few years.
How to check your own chain
Three free tools will tell you whether your chain is clean. Pick one, paste your domain, and read the result.
- SSL Labs test, the classic. Gives a letter grade and lists every chain issue.
- What’s My Chain Cert, faster and more focused on chain completeness.
- Chrome DevTools: Security tab while viewing your site. Shows the full chain as Chrome sees it.
How to fix a broken chain
If you have server access through a hosting control panel, there is usually a CA Bundle or Intermediate box next to where you pasted the leaf certificate. Pasting the full intermediate bundle there fixes most errors.
If you are on managed WordPress hosting, you should not need to touch this at all. HostPoco’s plans install and rotate the full chain automatically, and the charity programme does the same for free accounts.
What about wildcard and multi-domain certificates?
The chain works the same way for any certificate type. A wildcard certificate (covering *.yourdomain.com) or a multi-domain certificate (covering several domains) still has a leaf signed by an intermediate signed by a root. The shape of the chain does not change, only what the leaf is allowed to cover.
Security and SSL work by the HostPoco team
Josh is fantastic and I would absolutely reach out to him again for any future work. He communicates clearly, works fast and walked me through what he completed to make sure I was satisfied.
Jetpack Scan security clean-up
Josh was extremely knowledgable and very quick to answer all of my questions and work with me to better understand the situation. His work exceeded my expectations.
WordPress site in serious need of optimization
Super competent and talented.
Moving a WordPress copy to a new subdomain
Frequently asked questions
What is the difference between a root certificate and an intermediate certificate?
The root is the top of the trust tree, owned by a certificate authority and built into browsers by default. Intermediates sit below the root and are used to sign customer certificates. Roots never sign customer certificates directly, for security reasons.
Why does my site work in Chrome but show a warning on iPhone?
This is almost always a missing intermediate certificate. Different browsers cache different intermediates, so one may find the chain while another cannot. Fix the server-side chain once and both will show the padlock.
How often do I need to renew my SSL certificate?
Let’s Encrypt certificates renew every 90 days, automatically on any decent host. Paid certificates typically last 12 to 13 months. Either way, managed hosts handle the renewal for you.
Is a free Let’s Encrypt certificate as good as a paid one?
For most sites, yes. Let’s Encrypt uses the same modern encryption and passes all browser checks. Paid certificates add extended-validation badges and warranty coverage that most small sites do not need.
Can I get a free SSL certificate with WordPress hosting?
Yes. Any reputable managed WordPress host in 2026 includes a free Let’s Encrypt certificate, installed and renewed automatically. HostPoco includes this on every plan and on the charity programme.
