has a verifiable certificate chain signed with .
If Chrome still says the site uses SHA-1, it's probably a chain caching bug on your computer.
has a certificate, but needs to update its intermediates.
is using .
There was an error checking . Check the developer console for details.
HTTPS certificates are signed using a one-way hash — often SHA-1.
Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2.
You'll need to get your CA to issue you a new certificate using SHA-2. Most CAs now default to SHA-2, but you may need to select an option.
- GoDaddy may still issue you a SHA-1 cert at first. If so, you need to "re-key" your certificate to get one signed with SHA-2.
- Digicert issues SHA-2 certificates by default. However, if you "re-key" an existing SHA-1 certificate, you need to select SHA-2 as an "advanced option" on the certificate request page.
- If GeoTrust or RapidSSL mistakenly issue you a SHA-1 again, follow these instructions to login to their portal and reissue your certificate.
- Gandi now uses SHA-2 for certificates expiring after January 1 2017. For certificates expiring before that, you have to generate a CSR yourself with SHA-2.
If you find other problems, please report them here and I'll update the list above.
When you created your certificate chain, you included one or more intermediate certificates from wherever you obtained your cert, which may need to be updated. Check SSL Labs to see if you need to update.
- If using Dreamhost, someone kindly documented where to get the appropriate SHA-2 intermediates.
- RapidSSL has SHA-2 intermediates. Because these were issued recently, you may need to reissue your client cert from RapidSSL as well (even a SHA-2 cert) to ensure you get a client cert that was signed by these intermediates. You may also need to swap the intermediate certificate with this one.
- StartSSL has updated SHA-2 certificates for whatever level you've paid for: Class 1, Class 2, Class 3, or Class 4.
- If you're using Comodo (possibly through Namecheap), download the SHA-2 intermediate that corresponds to your certificate level.
- Verisign / Symantec lists their SHA-2 intermediates under RSA SHA-2, at "SHA-2 Intermediate CAs under SHA-2 Root".
- For GeoTrust, check out this intermediate or dig through their list. If you're using their "Geotrust True Business ID Wildcard" product, you will need to email support to get them to send you the right intermediate(!).
- If you're using GlobalSign or AlphaSSL, get their SHA-2 intermediate certificates.
- Digicert has SHA-2 intermediates for everything.