SHA1 Certificate Errors: Fixes

TL;DR

Browsers are increasingly blocking websites using SHA1 signed certificates because this hashing algorithm is considered insecure. This guide explains how to identify and fix these errors, either by updating your server’s certificate or understanding browser exceptions (though the latter isn’t recommended long-term).

Understanding the Problem

SHA1 was once a common way to verify the authenticity of website certificates. However, vulnerabilities have been discovered, making it possible for attackers to create fake certificates that browsers can’t easily detect. Modern browsers (Chrome, Firefox, Safari, Edge) are phasing out support for SHA1.

Step-by-Step Fixes

1. Check Your Certificate: The first step is to determine if your certificate actually uses SHA1. You can do this using online tools or your browser’s developer tools.
   • Online Tools: Use a website like SSL Shopper to analyze your site’s certificate. It will clearly show the signature algorithm used.
   • Browser Developer Tools:
     1. Open your browser’s developer tools (usually by pressing F12).
     2. Navigate to the ‘Security’ tab.
     3. Look for information about the certificate chain and its signature algorithm. If it says SHA1, you have a problem.
2. Update Your Certificate (Recommended): The best solution is to replace your SHA1 signed certificate with one that uses a stronger algorithm like SHA256 or higher.
   • Contact Your Certificate Authority: Reach out to the company you purchased your SSL/TLS certificate from. They will guide you through the process of generating a new certificate request (CSR) and installing the updated certificate on your server.
   • Generate a CSR: The command varies depending on your web server.

     # Example for Apache using OpenSSL
     openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

   • Install the New Certificate: Follow your CA’s instructions to install the new certificate on your web server. This usually involves restarting your web server.

     # Example for Apache (adjust paths as needed)
     SSLCertificateFile /path/to/your_certificate.crt
     SSLCertificateKeyFile /path/to/your_private.key

3. Temporary Workaround (Browser Exceptions – Not Recommended): While not a secure solution, you can sometimes temporarily bypass the error by adding an exception in your browser.
   • Chrome: Type chrome://flags/#allow-sha1-local-anchors into the address bar and enable ‘Allow SHA-1 local anchors’. Restart Chrome. Warning: This disables a security feature and should only be used for testing purposes.
   • Firefox: Edit your about:config settings (type about:config in the address bar, accept the risk). Search for security.ssl.allow_sha1_local_anchors and set it to true. Restart Firefox. Warning: This disables a security feature and should only be used for testing purposes.
4. Verify the Fix: After updating your certificate, re-check using the SSL Shopper tool or your browser’s developer tools to confirm that the signature algorithm is now SHA256 (or higher).

Important Considerations

• Browser Updates: Browsers are constantly updating their security policies. Exceptions may stop working in future versions.
• Cybersecurity Risk: Using an outdated certificate with SHA1 poses a significant cyber security risk to your website and its visitors.
• Certificate Chain: Ensure that the entire certificate chain is valid, not just the server certificate itself.