Certificate Chain Validation Guide
Overview
How to validate certificate chains using OpenSSL, certutil, and online tools. Covers identifying missing intermediates, trust store gaps, and AIA/CDP verification.
Table of Contents
- Chain Validation Fundamentals
- OpenSSL Verification Commands
- Windows certutil Validation
- Online Validation Tools
- Missing Intermediate Diagnosis
- AIA and CDP Verification
- Trust Store Gap Analysis
- Automation Scripts
Overview
A certificate is only as trustworthy as its chain. Missing intermediates, expired root CAs, and misconfigured AIA extensions cause TLS failures that are notoriously difficult to diagnose — especially when the issue only manifests on specific clients or platforms. The server works fine in Chrome on Windows but fails on curl, Java clients, or mobile devices.
This guide provides a systematic approach to validating certificate chains using tools you already have. Starting with OpenSSL’s verify command and s_client connection testing, we walk through every step of chain resolution — from leaf certificate through intermediates to the trusted root. You’ll learn to identify exactly where a chain breaks, why certain clients fail while others succeed, and how AIA (Authority Information Access) fetching masks server-side misconfigurations.
Includes ready-to-use scripts for automated chain validation across your certificate inventory.
What You’ll Learn
- OpenSSL commands for complete chain validation with detailed error interpretation
- How to use certutil on Windows for chain building and trust path analysis
- Diagnosing the “works in browser, fails in code” problem caused by AIA fetching differences
- Identifying and resolving missing intermediate certificates across server platforms
- CDP and AIA extension verification to ensure revocation checking works end-to-end
- Automated scripts that validate chains across hundreds of endpoints in minutes