Leaf, Chain, Root: Three Different Expiry Clocks
Your leaf certificate — the one issued for your hostname — is not the only certificate in the connection with an expiry date. Every TLS handshake presents a chain: the leaf, one or more intermediate certificates that link it to a certificate authority, and ultimately a root certificate that lives in the client's trust store. Each link has its own notAfter timestamp, its own renewal owner, and its own failure mode when it lapses. Leaf expiry is the failure everyone knows: your site breaks for everyone at a precise second. Chain and root expiries are stranger beasts — they break some clients and not others, they're caused by certificates you don't control, and they masquerade as bugs in your customers' code. Understanding which clock ran out is the difference between a five-minute fix and a very confusing day.
Related Reading
Anatomy of the Chain
The three tiers exist so that root certificate private keys — the crown jewels of internet trust — can stay offline in hardware security modules while day-to-day issuance happens with intermediate keys that can be rotated or revoked without replacing what's baked into billions of devices.
The Leaf (End-Entity) Certificate
Issued for your specific hostnames, valid for at most about 200 days for certificates issued since March 2026 (and shrinking — the CA/Browser Forum schedule takes public certificates to roughly 47-day maximums by 2029). This is the certificate your renewal automation manages, the one with your domain in its subject alternative names, and the one whose expiry takes your site down for every client simultaneously.
Intermediate Certificates
Issued by the CA to sign leaf certificates, typically valid for several years. Your server is responsible for sending intermediates during the handshake — clients are not guaranteed to have them. When a CA retires or rotates an intermediate, servers still serving the old one, or clients with odd caching behavior, produce validation failures that look nothing like a normal expiry. Let's Encrypt's periodic intermediate rotations are a recurring source of 'nothing changed on our side' incidents for teams that pinned or hard-coded an intermediate somewhere.
Root Certificates
Self-signed anchors shipped inside operating systems and browsers, valid for decades — which means when one finally expires, the clients affected are precisely the old devices and unpatched systems that never received a trust-store update. You cannot renew a root; you can only ensure your chain builds a path to a root each client actually trusts.
Case Studies: When the Chain Expired, Not the Leaf
Two real incidents show why chain expiry deserves its own monitoring category — in both, millions of perfectly valid leaf certificates became unusable for specific client populations overnight.
AddTrust External CA Root — May 30, 2020
A widely used Sectigo cross-signing root expired. Modern browsers didn't blink — they trusted the newer root and built an alternate path. But huge numbers of non-browser clients (older OpenSSL 1.0.x and GnuTLS versions, embedded devices, payment terminals, API integrations) validated the expired path and hard-failed. Sites were 'up' in every browser their operators checked while their partners' API calls failed — a support nightmare where every party's dashboard was green.
DST Root CA X3 — September 30, 2021
The root that gave Let's Encrypt its original cross-signed trust expired, by design and with years of warning. Android devices older than 7.1.1, old iOS/macOS versions, and clients on OpenSSL 1.0.2 lost the trust path. Let's Encrypt engineered a clever long-tail workaround for old Android, but plenty of B2B integrations and legacy fleets still broke that morning. Teams that had inventoried which chains their clients relied on had a quiet day; teams that hadn't spent it re-learning X.509 path building under pressure.
Monitoring a Commercial SaaS?
FourSight's free plan includes 10 commercial-safe monitors with multi-region validation — free forever, no card.
Start Monitoring FreeWhy Chain Failures Look So Weird
Chain problems produce the diagnostic signature that most confuses teams: 'works in Chrome, fails in curl' — or the reverse. The reason is that clients build trust paths differently. Desktop browsers cache intermediates from previous connections and can fetch missing ones on the fly (a mechanism called AIA fetching in Chrome and desktop Safari), so they often paper over a server that forgets to send its intermediate. Stricter clients — most mobile platforms, headless HTTP libraries, older TLS stacks, webhook senders — validate exactly the chain your server presents, and fail if it's incomplete or contains an expired link. So a misconfigured chain doesn't break 'the site'; it breaks a demographic: Android users but not desktop, your Stripe webhooks but not your QA browser, one partner's integration but not another's. If an outage report only affects some client types, suspect the chain before the leaf.
# See the FULL chain your server actually sends
echo | openssl s_client -servername yourdomain.com \
-connect yourdomain.com:443 -showcerts 2>/dev/null \
| grep -E "s:|i:"
# Verify the chain validates against a standard trust store
echo | openssl s_client -servername yourdomain.com \
-connect yourdomain.com:443 -verify_return_error 2>&1 \
| grep -E "Verify return code|verify error"
# Check EVERY certificate's expiry in the served chain, not just the leaf
echo | openssl s_client -servername yourdomain.com \
-connect yourdomain.com:443 -showcerts 2>/dev/null \
| awk '/BEGIN CERT/,/END CERT/' \
| openssl crl2pkcs7 -nocrl -certfile /dev/stdin \
| openssl pkcs7 -print_certs -noout -text | grep "Not After"
The Configuration Mistake Behind Most Chain Incidents
The most common self-inflicted chain failure is embarrassingly simple: configuring the web server with the leaf certificate file instead of the full-chain file. Certbot writes both — cert.pem (leaf only) and fullchain.pem (leaf plus intermediates) — and nginx or HAProxy pointed at the wrong one will pass every desktop-browser test the team runs while failing mobile users and API clients. Close cousins: concatenating certificates in the wrong order for HAProxy's combined PEM format, updating the leaf during a renewal but leaving a stale intermediate file in place, and load balancers that manage chains separately from certificates so the two drift. The rule that prevents all of them: always deploy the full chain as one artifact from one source, and verify from outside — what matters is the chain the internet receives, not the files on disk.
Monitoring the Chain, Not Just the Countdown
A monitoring strategy built only on leaf-expiry countdown misses everything this guide describes. Complete coverage needs three assertions on every check: the leaf's days-to-expiry (the countdown), the completeness and validity of the served chain (would a strict client accept this exact sequence?), and hostname coverage (do the SANs actually cover this domain?). FourSight's SSL monitor performs all three on every check cycle from four regions — chain validation catches the missing-intermediate and expired-intermediate cases within one check of the misconfiguration going live, rather than when the first Android user complains. For belt-and-suspenders on high-stakes estates, add a periodic testssl.sh run in CI for deep configuration analysis; the external monitor covers continuous detection, the scanner covers depth.