Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Broken chain of trust

Author: Government Digital Service

Broken chain of trust

What this means

A chain of trust is established by validating each certificate from the end entity up to a root certificate. A certificate authority establishes trust in digital communications through a hierarchical structure and enables users to interact with online entities confidently. It also stops malicious actors from impersonating legitimate websites, for example, in a phishing attack, while encryption ensures secure data transmission.

A broken chain of trust occurs when a website’s certificate cannot be verified back to a trusted root certificate authority resulting in the failure of the trust relationship.

Why this is a problem

A broken chain of trust is a problem because it undermines the foundational security principles of authentication, integrity, and confidentiality in digital communications and transactions.

This can potentially cause problems, including:

  • man-in-the-middle (MITM) Attacks – attackers can exploit the lack of proper validation to secretly relay and potentially alter communication
  • impersonation and fraud – attackers can issue or use forged or stolen digital certificates to impersonate legitimate websites
  • malware distribution – compromised certificates can be used to sign malicious code, making it appear as legitimate software updates from trusted vendors
  • unauthorised access and privilege escalation – a compromised certificate authority (CA) can allow unauthorised access to networks and systems
  • reputation damage – security warnings in browsers quickly loses user confidence
  • weakened security posture – a broken chain of trust indicates fundamental weaknesses in Public Key Infrastructure (PKI) management and validation processes

How to check if the problem is there

To check for this problem, an administrator should check for a broken chain of trust by examining browser warnings, using online SSL checkers, or manually inspecting certificate details for issues like expired dates, missing intermediate certificates, or a disconnected path to the root certificate.

Use an online checker service such as Hardenize or DigiCert to check the certificate validity and chain of trust.

How to fix the problem

To fix a broken chain of trust problem, an administrator should obtain and install the missing or invalid intermediate certificates from their certificate authority and retest the chain.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now