DNS Spy
Knowledge Base
DNS Spy Security Checks
SSL Certificate Chain Validation

SSL Certificate Chain Validation

What This Check Does

The SSL Certificate Chain Validation check verifies that your server is presenting a complete and valid certificate chain. A complete chain includes your domain's end-entity certificate, any intermediate CA certificates, and a path that chains up to a trusted root CA. DNS Spy attempts to build and validate this chain — if it cannot be completed or verified, this check fails.

Why It Matters

An incomplete certificate chain causes TLS handshake failures for clients that don't cache intermediate certificates. While desktop browsers often work around missing intermediates using Authority Information Access (AIA) fetching, mobile clients, API clients, IoT devices, and strict TLS implementations do not. The result is that some visitors and integrations experience connection failures that appear intermittent and are difficult to diagnose.

A broken chain can also indicate certificate misconfiguration — for example, serving certificates in the wrong order, including an expired intermediate, or omitting a cross-signed certificate needed for compatibility with older trust stores.

Good vs. Bad Configuration

Bad Configuration

The server for example.com only sends the end-entity certificate. The intermediate CA certificate is missing from the chain. Some clients can complete the chain via AIA, but curl, OpenSSL, and mobile apps frequently fail with "certificate verify failed" errors.

Good Configuration

The server for example.com sends the complete chain: the domain certificate followed by one or more intermediate CA certificates. The chain validates to a trusted root CA. All clients — browsers, curl, APIs, and mobile apps — connect successfully.

How DNS Spy Monitors This

DNS Spy performs a full TLS handshake and attempts to validate the complete certificate chain during each monitoring cycle. If chain validation fails — due to missing intermediates, expired intermediates, or an untrusted root — an alert is raised. Correctly installing the full certificate chain on your server will resolve the alert on the next monitoring cycle.