After you install an SSL certificate on your web server, you should always run an SSL check to verify that everything is setup correctly. SSL/TLS certificates require not only your main certificate but also what they call intermediate certificates (chain) to also be installed. If you don’t have these setup properly, visitors could get a warning in their browsers, which in turn might drive them away. And depending on the browser and version, you may or may not see this warning if your certificate is setup incorrectly. That is why it is important to run an SSL check with a 3rd party tool.
How to Perform an SSL Check
We recommend using the free SSL check tool from Qualys SSL Labs. It is very reliable and we use it for all Kinsta clients when verifying certificates. Simply head over to their SSL check tool, input your domain into the Hostname field and click on “Submit.” You can also select the option to hide public results if you prefer. It could take a minute or two to scan your site’s SSL/TLS configuration on your web server.
Passing SSL Check with an A Grade
SSL Labs will assign you an SSL server rating, anywhere from an A to an F. You should always be aiming for an A grade. This means you have both your SSL certificate and intermediate certificate setup correctly. And that your WordPress host has the rest of your web server up to current specifications. If you don’t, see further below for an explanation of warnings and errors and how to fix them. You can always reach out to your WordPress host for help as well.
Certificate Chain Incomplete Warning
The “certificate chain incomplete” is one of the most common warnings when running an SSL check. When you install an SSL certificate on your web server, or with Kinsta, it requires that you add your certificate key, private key, and chain. If you only add your primary certificate you will encounter a warning as seen below: “This server’s certificate chain is incomplete. Grade capped to B.” It also will also report further below as simply having chain issue.
To fix this you need to add your intermediate certificate as well. Most SSL providers will email you a .crt file and a .ca-bundle file. For Kinsta customers, simply paste the contents of your .crt file in the “Certificate” section first and then the contents of the .ca-bundle file below it. You can use a text editor like Notepad or TextMate to open the certificate and bundle files. If you don’t have or know your intermediate certificate you can use a free tool like https://whatsmychaincert.com/ to generate it.
If you are using a different web hosting provider you can open up a support ticket and provide them with your intermediate certificate. After adding it, you can clear the cache on your SSL Labs test and re-run it to ensure that your B grade goes to an A.
Make sure to also check out this guide on SSL and TLS Deployment Best Practices.