Every operating system comes with a set of default trusted root certificates. However, Certificate Authorities (CAs) usually don't directly use their root certificate to sign customer certificates. Instead, they use intermediate certificates, which can be rotated more frequently.
To ensure secure connections and avoid errors, servers should send a complete certificate chain to clients. This chain includes all the necessary certificates, starting from the specific certificate and leading up to the trusted root certificate (excluding it). When installing an SSL certificate on a server, it's crucial to also install the intermediate certificates.
Most web browsers are capable of automatically downloading any missing intermediate certificates to complete the certificate chain. However, some clients, particularly mobile browsers, may not support this feature. As a result, you may encounter 'untrusted' warnings in your browser, indicating a potentially insecure connection. Even if the browser supports this feature, it may lead to slower performance.
This tool automates the process of retrieving intermediate certificates by examining the certificate's Authority Information Access extension (RFC-3280) field. It then provides you with the full certificate chain to install, simplifying the task for you.
If you find this useful, check out Cert Chief to monitor your domains for expired certificates and bad configuration. Checks for certificate expiration, DNS problems, and so much more.