As of some time last year, Google Chrome started to phase out support for certificates with SHA-1 signatures. Since March 2015 users see a red warning notice in the address bar. This is a reputation problem every site owner should prevent. The notice occurs if any of the certificates in the chain is SHA-1 signed. So for me. I bought a certificate with SHA-2 signature last year but because of the trust infrastructure of the CA not being ready for SHA-2 completely, it was signed by an SHA-1 intermediate CA, causing trouble now. WTF!
Here is a small guide on how to create secure certificates:
# create a 2048 bit private key openssl genrsa -out my-domain-name.key 2048 # create a csr which uses the key created previously and set's the flag to use SHA-256 aka SHA-2 openssl req -new -sha256 -key my-domain-name.key -out my-domain-name.csr
Upload the CSR to a public CA which offers full SHA-2 compliance (I used RapidSSL) and make sure to choose SHA-2 for the complete chain. Sometimes stated as SHA-2 certificate with RSA and SHA-2 root. Download your new certificate after completing the creation process.