Ok and coming in for the home stretch we go into a Domain & DNS tools segment to close out the series
When you manually install an SSL certificate, you actually need to be concerned with probably 2 or 3 separate certificates: yours, the certificate of your issuing provider, and the certificate of their provider. It’s kind of like a pyramid scheme, but it ensures that only the trusted certificate providers are in control of what valid TLS/SSL certs are being used.
Note that if you correctly install your certificate but not the parent certs (also known as the “chain cert”), your visitors will see SSL warnings in their browsers. This happens also if one of the intermediary certificates (that is, the two above yours) has a problem (like they become expired).
As well, as this website handily explains:
To complicate matters, browsers cache chain certificates, meaning that an improperly-configured chain could work in some browsers but not others, making this an annoying problem to debug.
This site tests if your server is serving the correct certificate chain, tells you what chain you should be serving, and helps you configure your server to serve it.
Use the tool WhatsMyChainCert.com to debug and examine these.