Check your site for weak SHA-1 certificates. Open source, by @konklone.

If it hangs, start over.
Nice. Almost. Dang.

has a verifiable certificate chain signed with .

has a certificate, but needs to update its intermediates.

is using .

See the details at SSL Labs, or start over.


There was an error checking . Check the developer console for details.

Start over.

SSL certificates are signed using a one-way hash — usually SHA-1.

Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2.

Getting a SHA-2 certificate

You'll need to generate a new certificate request, and get your CA to issue you a new certificate using SHA-2. Using your existing private key:

openssl req -new -sha256 -key your-private.key -out your-domain.csr

Some CAs now default to SHA-2, some need you to "request" it, either in writing or even by signing your CSR with SHA-2. Some CAs don't support SHA-2 at all yet.

If you find other problems, please report them here and I'll update the list above.

Using SHA-2 intermediate certificates

When you created your certificate chain, you included one or more intermediate certificates from wherever you bought your cert, which may need to be updated. Check SSL Labs to see if you need to update.


This website is an open source project, and includes a command line tool — please lend a hand!

Thanks to Mathias Bynens, Justin Mayer, and Jonny Barnes for inspiration and assistance.