has a verifiable certificate chain signed with .
has a certificate, but needs to update its intermediates.
is using .
There was an error checking . Check the developer console for details.
SSL certificates are signed using a one-way hash — usually SHA-1.
Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2.
You'll need to generate a new certificate request, and get your CA to issue you a new certificate using SHA-2. Using your existing private key:
openssl req -new -sha256 -key your-private.key -out your-domain.csr
Some CAs now default to SHA-2, some need you to "request" it, either in writing or even by signing your CSR with SHA-2. Some CAs don't support SHA-2 at all yet.
- GoDaddy may still issue you a SHA-1 cert at first. If so, you need to "re-key" your certificate to get one signed with SHA-2.
- Digicert issues SHA-2 certificates by default. However, if you "re-key" an existing SHA-1 certificate, you need to select SHA-2 as an "advanced option" on the certificate request page.
- StartSSL uses SHA-2 new certificates, as long as you use the -sha256 flag above when creating the CSR. If you need to reissue an old one, you may find Kai Engert's trick of using a fake subdomain to avoid revocation fees helpful. (Requires a paid class 2 identity verification.)
- If GeoTrust or RapidSSL mistakenly issue you a SHA-1 again, follow these instructions to login to their portal and reissue your certificate.
- Gandi now uses SHA-2 for certificates expiring after January 1 2017. For certificates expiring before that, you have to generate a CSR with SHA-2 (using the command above).
If you find other problems, please report them here and I'll update the list above.
When you created your certificate chain, you included one or more intermediate certificates from wherever you bought your cert, which may need to be updated. Check SSL Labs to see if you need to update.
- If using Dreamhost, someone kindly documented where to get the appropriate SHA-2 intermediates.
- RapidSSL has SHA-2 intermediates. Because these were issued recently, you may need to reissue your client cert from RapidSSL as well (even a SHA-2 cert) to ensure you get a client cert that was signed by these intermediates. You may also need to swap the intermediate certificate with this one.
- StartSSL has updated SHA-2 certificates for whatever level you've paid for: Class 1, Class 2, Class 3, or Class 4.
- If you're using Comodo (possibly through Namecheap), download the SHA-2 intermediate that corresponds to your certificate level.
- Verisign / Symantec lists their SHA-2 intermediates under RSA SHA-2, at "SHA-2 Intermediate CAs under SHA-2 Root".
- For GeoTrust, check out this intermediate or dig through their list. If you're using their "Geotrust True Business ID Wildcard" product, you will need to email support to get them to send you the right intermediate(!).
- If you're using GlobalSign or AlphaSSL, get their SHA-2 intermediate certificates.
- Digicert has SHA-2 intermediates for everything.