As of some time last year, Google Chrome started to phase out support for certificates with SHA-1 signatures. Since March 2015 users see a red warning notice in the address bar. This is a reputation problem every site owner should prevent. The notice occurs if any of the certificates in the chain is SHA-1 signed. So for me. I bought a certificate with SHA-2 signature last year but because of the trust infrastructure of the CA not being ready for SHA-2 completely, it was signed by an SHA-1 intermediate CA, causing trouble now. WTF!

Here is a small guide on how to create secure certificates:


# create a 2048 bit private key
openssl genrsa -out my-domain-name.key 2048

# create a csr which uses the key created previously and set's the flag to use SHA-256 aka SHA-2
openssl req -new -sha256 -key my-domain-name.key -out my-domain-name.csr

The Certificate

Upload the CSR to a public CA which offers full SHA-2 compliance (I used RapidSSL) and make sure to choose SHA-2 for the complete chain. Sometimes stated as SHA-2 certificate with RSA and SHA-2 root. Download your new certificate after completing the creation process.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.


Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden .