When your application calls an HTTPS endpoint like:

https://api.domain.net

your browser or backend service doesn’t just trust it automatically. It verifies a certificate chain to ensure the server is legitimate and not part of a man-in-the-middle attack.

If you’ve ever seen errors like:

PKIX path building failed
SSLHandshakeException
certificate chain incomplete
unable to get local issuer certificate

this article is for you.

What Is a Certificate Chain?

A certificate chain (also called a chain of trust) is a sequence of certificates that links:

Your Website Certificate
        ↓
Intermediate Certificate
        ↓
Root Certificate (Trusted by OS/Browser/JVM)

Let’s break it down.

1️⃣ Leaf Certificate (Server Certificate)

This is the certificate issued to your website.

Example:

CN=api.domain.net

It proves:

• The domain identity

• The public key of the server

• The validity period

But this certificate is not trusted by itself.

2️⃣ Intermediate Certificate

Issued by a Certificate Authority (CA) like:

• DigiCert

• GeoTrust

• GlobalSign

• Let’s Encrypt

The intermediate signs your server certificate.

Why not sign directly with the root?
Because root keys are highly protected and rarely used.

3️⃣ Root Certificate

Example:

CN=DigiCert Global Root CA

This certificate:

• Is self-signed

• Is already installed in:

  • Windows

  • macOS

  • Linux

  • Browsers

  • Java truststore (cacerts)

If your chain successfully links to a trusted root → connection is secure.

How the Trust Verification Works

When a client connects:

1. Server sends:

   • Leaf certificate

   • Intermediate certificate(s)

2. Client verifies:

   • Domain matches

   • Signature chain is valid

   • Root exists in trust store

If any link is missing → TLS handshake fails.

Why Browsers Work but Java Fails

Browsers:

• Automatically download missing intermediate certificates.

Java (Spring Boot, RestTemplate, WebClient):

• Does NOT auto-download intermediates.

• Requires full chain during handshake.

That’s why backend services often fail even when the browser works.

Inspecting Certificate Chains Using Git Bash + OpenSSL

Git for Windows includes OpenSSL inside Git Bash.

Step 1: Open Git Bash

Step 2: Run This Command

openssl s_client -connect api.domain.net:443 -showcerts

What This Does

• Connects to port 443 (HTTPS)

• Performs TLS handshake

• Displays all certificates sent by the server

Example Output (Healthy Chain)

Certificate chain
 0 s:CN=api.domain.net
   i:CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

 1 s:CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1
   i:CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Interpretation

LevelMeaning0Your website certificate1Intermediate certificateRootAlready trusted by system

This is correct configuration.

Example Output (Broken Chain)

Certificate chain
 0 s:CN=api.domain.net
   i:CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Only certificate 0 is present.

This means:

• Intermediate certificate is missing

• Java clients will fail

• Error: PKIX path building failed

Extract and Analyze a Specific Certificate

You can inspect a certificate in readable format:

openssl s_client -connect api.domain.net:443 -showcerts </dev/null \
| openssl x509 -noout -text

This shows:

• Validity dates

• Public key length

• Signature algorithm

• Subject Alternative Names (SAN)

• Key Usage

Check Expiration Quickly

openssl s_client -connect api.domain.net:443 </dev/null \
| openssl x509 -noout -dates

Output example:

notBefore=Aug 23 00:00:00 2025 GMT
notAfter=Feb 23 23:59:59 2026 GMT

Common TLS Errors and What They Mean

ErrorRoot CausePKIX path building failedMissing intermediate certificateunable to get local issuer certificateChain incompletecertificate expiredLeaf or intermediate expiredhostname verification failedCN/SAN mismatch

Best Practice for Servers

Always configure your server with:

Full Chain Certificate = Leaf + Intermediate(s)

Not just the leaf certificate alone.

If using:

• Azure App Service → upload full-chain PFX

• Nginx → use fullchain.pem

• Apache → use SSLCertificateChainFile

• Docker → ensure bundled cert includes intermediates

Visual Representation

Client (Browser / Java)
        ↓
[ Leaf Certificate ]
        ↓
[ Intermediate CA ]
        ↓
[ Root CA (Trusted Store) ]

If any link is missing → connection rejected.

Final Thoughts

Understanding certificate chains is essential for:

• Backend engineers

• DevOps teams

• Cloud architects

• API developers

It helps diagnose:

• Spring Boot SSL errors

• Azure deployment issues

• Load balancer TLS problems

• Reverse proxy misconfigurations

Whenever in doubt:

openssl s_client -connect yourdomain.com:443 -showcerts

This single command solves most TLS mysteries.

Video Demo

Hi, I’m Wajid Khan. I am trying to explain computer stuff in a simple and engaging manner, so that even non-techies can easily understand, delivered to your inbox weekly.

Thanks for reading Wajid Khan! Subscribe for free to receive new posts and support my work.

Explore My GitHub

My Blog Home Page

My Social Link Tree