Explain SSL certificate chain validation and common issues.

Certificate chain: end-entity cert -> intermediate CA(s) -> root CA. Validation: verify each signature up the chain, check expiration, revocation status (CRL/OCSP), hostname match, key usage extensions. Common issues: missing intermediate (server must send), expired cert, wrong chain order, hostname mismatch, revoked cert, untrusted root. Certificate Transparency (CT) logs provide public audit. HSTS preloading prevents downgrade. OCSP stapling reduces revocation check latency. Let's Encrypt automated issuance.