Certificate Chain Checker
Paste a certificate chain (leaf + intermediates, optionally the root) and check that it's in the right order, each certificate is signed by the next, nothing has expired, and it builds to a trusted root.
Get a server's chain with openssl s_client -connect example.com:443 -showcerts.
Or just run an SSL test.
Incomplete chains break some clients and not others
It's one of the hardest TLS faults to spot from a desk. CertControl validates the full chain on every endpoint, on every scan — and flags a missing intermediate before your API clients hit it.
Validate every chain →Why chain order and completeness matter
A TLS server must present its leaf certificate plus every intermediate up to (but not including) a trusted root, in order. Miss an intermediate and desktop browsers may paper over it while API clients, mobile apps and server-to-server calls reject the connection — the classic "works in Chrome, fails in curl" bug. This certificate chain checker verifies the order, checks each signature link, flags expired certificates, and tells you whether the chain builds to a trusted root.
Why does my site work in browsers but fail in curl or mobile apps?
Almost always a missing intermediate certificate. Desktop browsers often cache or fetch the missing link and paper over the gap, while curl, mobile apps and server-to-server clients reject the chain outright. This checker flags exactly which link is missing or out of order.
Should the root certificate be included in the chain?
Normally no. A server should send its leaf plus every intermediate up to — but not including — the trusted root, which clients already hold. Including the root is harmless but adds bytes to every handshake; omitting an intermediate is the real fault.
How do I get my server's chain to paste here?
Run openssl s_client -connect example.com:443 -showcerts and copy the certificate
blocks it prints, or simply run an SSL test
on the host and read the chain there.