Check your site for weak SHA-1 certificates. Open source, by @konklone.

If it hangs, start over.
Nice. Almost. Dang.

has a verifiable certificate chain signed with .

If Chrome still says the site uses SHA-1, it's probably a chain caching bug on your computer.

has a certificate, but needs to update its intermediates.

is using .

See the details at SSL Labs, or start over.


There was an error checking . Check the developer console for details.

Start over.

HTTPS certificates are signed using a one-way hash — often SHA-1.

Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2.

Getting a SHA-2 certificate

You'll need to get your CA to issue you a new certificate using SHA-2. Most CAs now default to SHA-2, but you may need to select an option.

If you find other problems, please report them here and I'll update the list above.

Using SHA-2 intermediate certificates

When you created your certificate chain, you included one or more intermediate certificates from wherever you obtained your cert, which may need to be updated. Check SSL Labs to see if you need to update.


This website is an open source project, and includes a command line tool — please lend a hand!

Thanks to Mathias Bynens, Justin Mayer, and Jonny Barnes for inspiration and assistance.