1

My site on Google Chrome gets a warning about its SSL certificate. At first Chrome says:

The identity of this website has been verified by RapidSSL SHA256 CA - G3 but does not have public audit records.

But then I get a warning like that:

This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.

When i check my certificate by openssl from commandline based on this question: https://stackoverflow.com/a/26685515/317648 I get an answer like that:

Signature Algorithm: sha256WithRSAEncryption

I am confused now, why Chrome says it can be SHA1. What is the reason for that?

Community
  • 1
  • 1
Mehmet Davut
  • 667
  • 10
  • 30

1 Answers1

1

Whilst the certificate itself is using SHA-256, the certificates upward in the chain are likely using SHA1. You will likely need to upgrade your certificate chain files to use a more up to date version of the certificates, so in order to do this you should be able to download a new intermediate certificate from your issuer.

You can find more information on this particular issue here: Why Chrome Thinks your SHA-2 Certificate Chain is "Affirmatively Insecure"

More information on why Google are sunsetting SHA1 is available here: Why Google is Hurrying the Web to Kill SHA-1.

mjsa
  • 4,221
  • 1
  • 25
  • 35