Visit this blog post “Understanding Web App Server Certificate Chains” that explains how certificate chains (also called chains of trust) work in HTTPS/TLS for web and application servers. A chain consists of:
The leaf certificate (server’s own cert, proving its domain and public key),
One or more intermediate certificates (issued by a Certificate Authority such as Let’s Encrypt or DigiCert),
A trusted root certificate (pre-installed in browsers, OS, or JVM trust stores).
During the TLS handshake, the server sends the leaf + intermediate(s); the client verifies signatures step-by-step back to a trusted root. Browsers often auto-fetch missing intermediates, but non-browser clients (e.g., Java/Spring Boot apps, backend services) frequently fail with errors like “PKIX path building failed” or “unable to get local issuer certificate” if the full chain isn’t provided.
Hi, I’m Wajid Khan. I am trying to explain computer stuff in a simple and engaging manner, so that even non-techies can easily understand, delivered to your inbox weekly.
Thanks for reading Wajid Khan! Subscribe for free to receive new posts and support my work.
