What Is a Certificate Chain?
A certificate chain (also called a chain of trust) is the ordered sequence of TLS/SSL certificates that links your server's certificate back to a trusted root Certificate Authority (CA). It allows clients to verify that your certificate was issued by a trusted source.
How the Chain of Trust Works
The certificate chain consists of three levels. At the bottom is the leaf certificate (also called the end-entity certificate), which is the one issued specifically for your domain. Above it are one or more intermediate certificates, issued by the root CA to delegate signing authority. At the top is the root certificate, a self-signed certificate from a Certificate Authority that is pre-installed in operating systems and browsers as a trust anchor.
When a client (browser, email server, or application) connects to your server, it receives the leaf certificate and any intermediate certificates. The client then walks the chain upward: it verifies that the leaf was signed by the intermediate, that the intermediate was signed by the root, and that the root is in its trusted certificate store. If every link checks out, the connection is trusted.
Why Certificate Chains Matter for Email
Email servers use TLS certificates to encrypt SMTP connections via STARTTLS. When your mail server presents its certificate during the TLS handshake, the connecting server verifies the full certificate chain. A broken or incomplete chain means the remote server cannot verify trust, which may cause it to refuse the encrypted connection, fall back to unencrypted delivery, or reject the message entirely.
This is especially critical with providers that enforce strict TLS policies or use MTA-STS to require encrypted connections. An expired or misconfigured certificate chain on your mail server can silently break email delivery to security-conscious recipients.
Common Certificate Chain Issues
The most common issue is a missing intermediate certificate. Your server must send the full chain (leaf + intermediates) because clients only have root certificates pre-installed. Other issues include expired certificates anywhere in the chain, incorrect certificate order, or a leaf certificate signed by an untrusted CA. All of these break the chain of trust and cause verification failures.
Frequently Asked Questions
What are root, intermediate, and leaf certificates?
The leaf certificate is issued to your domain. Intermediate certificates are issued by a root CA to delegate signing. The root certificate is self-signed and pre-installed in browsers and operating systems as a trust anchor. The chain goes: leaf → intermediate(s) → root.
Why does my server need to send intermediate certificates?
Clients only have root certificates pre-installed. They need the intermediates to build the full chain from your leaf certificate to a trusted root. Without them, the chain is broken and the connection fails with a certificate error, even if your leaf certificate is valid.
How does a certificate chain relate to email security?
Email servers use TLS certificates to encrypt SMTP connections. A broken chain means other servers may refuse encrypted connections, falling back to unencrypted delivery or rejecting messages entirely. This affects both email privacy and deliverability.