P2 · PKI & Certificate Management

SSL Certificate Not Trusted — Incomplete Chain or Missing Intermediate CA

Q: How do I resolve SSL Certificate Not Trusted — Incomplete Chain or Missing Intermediate CA?

Identify missing chain member with openssl or SSL Labs • Download intermediate certificate from CA website or AIA extension • Install intermediate in correct Windows store — Intermediate Certification Authorities • Verify full chain with openssl after install and test in browser

Clients reject an SSL/TLS certificate because the server is not presenting the full certificate chain, an intermediate CA is missing from the Windows certificate store, or a self-signed certificate has not been distributed via Group Policy to clients.

Indicators

Browser shows 'Certificate issued by an unknown authority' or SEC_ERROR_UNKNOWN_ISSUER
curl output: SSL certificate problem: unable to get local issuer certificate
Windows applications report 'The certificate chain was issued by an authority that is not trusted'
Event ID 36887 (TLS alert 48 — unknown CA) in System event log

Likely causes

Web server not sending the intermediate certificate in the TLS handshake chain
Intermediate CA certificate not imported to Windows Intermediate Certification Authorities store
Self-signed or internal CA certificate deployed on server without root distributed to clients
Certificate renewed with a different CA; old intermediate not replaced on server
AIA (Authority Information Access) endpoint unreachable — clients cannot download missing intermediate

Diagnostic steps

Test chain: openssl s_client -connect hostname:443 -showcerts 2>/dev/null — review all certificates in chain; Issuer of leaf must match Subject of next in chain
Use SSL Labs: ssllabs.com/ssltest/analyze.html?d=hostname — instantly identifies missing intermediates, chain order issues and trust store problems
On server: ensure intermediate certificate is included in the PFX bundle or installed separately in certlm.msc > Intermediate Certification Authorities (not Personal)
Download missing intermediate from CA's website or extract from AIA URL in the leaf certificate: certutil -dump cert.cer | findstr AIA
For internal CA: distribute root cert via GPO — Computer Config > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities > Import
Verify AIA endpoint reachability: certutil -verify -urlfetch cert.cer — all CRL and AIA URLs must return HTTP 200

Resolution path

Identify missing chain member with openssl or SSL Labs
Download intermediate certificate from CA website or AIA extension
Install intermediate in correct Windows store — Intermediate Certification Authorities
Verify full chain with openssl after install and test in browser

Prevention

Always deploy certificates as full-chain PFX or PEM bundles
Add SSL Labs grade check to every certificate deployment runbook
Distribute all internal root and intermediate CAs via Group Policy
Automate chain verification as part of post-deployment health checks

Tools

openssl s_client -showcerts
SSL Labs (ssllabs.com/ssltest)
certlm.msc / MMC
certutil -verify -urlfetch
GPMC (for root CA distribution)
DigiCert Certificate Checker

ssltlscertificate-chainintermediate-caroot-catrustpkiopenssl