Check your site for weak SHA-1 certificates. Open source, by Eric Mill (@konklone).

From late 2014 through the full retirement of SHA-1 at the end of 2016, this site provided a web-based tool to check if a web service's certificate was using the dangerously outdated SHA-1 signature algorithm.

Since SHA-1 is largely gone from the ecosystem, this tool has been disabled, but its code remains open source.

This also includes a command line tool, which could easily be modified to support detection of other signature types.

Background: As of January 1, 2016, no publicly trusted CA is allowed to issue a SHA-1 certificate. In addition, SHA-1 support was removed by most modern browsers and operating systems in early 2017. Any new certificate you get should automatically use a SHA-2 algorithm for its signature.

Legacy clients will continue to accept SHA-1 certificates, and it is possible to have requested a certificate on December 31, 2015 that is valid for 39 months. So, it is possible to see SHA-1 certificates in the wild that expire in early 2019.

The author "looks forward" to reviving this tool when SHA-2 is demonstrated to be weak, and the ecosystem begins moving towards SHA-3 or another suitable replacement.


Thanks to Mathias Bynens, Justin Mayer, and Jonny Barnes for inspiration and assistance.