methodology / Security / #90
Certificate chain completeness
#90 · Recommended · Web Quality · weighted · Security · impl todo · source Certificate chain bytes returned by the server in the TLS handshake (Worker direct read of Certificate message in 1.2; per-CertificateEntry parse in 1.3 via tls-cert-reader). Linkage check verifies issuer-of-N matches subject-of-N+1 across the chain.
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
- Base weight
- 1.0 applied to every site type unless overridden below
- Why this weight
- Cert chain completeness — incomplete chains break clients silently.
Per-site-type overrides
| Site type | Weight | Δ vs base |
|---|---|---|
| Personal site | 0.5 | -0.5 |
Site types not listed inherit the base weight.
What this means for your business
Browsers can usually paper over a half-installed certificate, but phones, apps, and older email clients can't — they'll show an error and refuse to connect. This is one of the most common silently-broken setups on the web.
Plain title: Your padlock loads cleanly on every device
Want the long version? Read the full explainer with examples →
What we measure
We measure whether your server delivers the full intermediate certificate chain in the TLS handshake, instead of just the leaf cert and relying on AIA (Authority Information Access) for the client to fetch missing intermediates. Missing intermediates is the #1 real-world cert misconfig: modern desktop browsers paper over it via AIA fetching, but mobile clients, IoT devices, older Java stacks, and many API clients fail outright. Every working browser hides this bug; every broken automation surfaces it.
How to improve your score
Concatenate your leaf cert with all intermediate certs (in order leaf→intermediate→root, but exclude the root itself — it's redundant and sometimes flagged as a chain issue). Most ACME clients (certbot, acme.sh) handle this automatically; the file you want is `fullchain.pem`, not `cert.pem`. If you got your cert from a non-ACME issuer, download the intermediate bundle from their site and concatenate it. Verify with `openssl s_client -connect yourdomain.com:443 -showcerts` — you should see at least 2 certificates returned.
Facts
Implementation notes
pass=100: ≥ 2 certs returned and chain links correctly (issuer of cert N == subject of cert N+1). warn=60: chain present but at least one link doesn't validate (broken chain — clients have to fix it themselves). fail=0: only the leaf was sent (clients must fetch intermediates via AIA, which fails for many non-browser clients).
Scoring
Scoring formulas are versioned with the methodology. The current method maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Version history
| Version | Change | Date |
|---|---|---|
| v0.1 | Factor introduced. Status: proposed. Scoring impl: todo. | 2026-04-25 |