Create State of the Art SSL Certificates to prevent Google Chrome Warnings
14. September 2015

As of some time last year, Google Chrome started to phase out support for certificates with SHA-1 signatures. Since March 2015 users see a red warning notice in the address bar. This is a reputation problem every site owner should prevent. The notice occurs if any of the certificates in the chain is SHA-1 signed. So for me. I bought a certificate with SHA-2 signature last year but because of the trust infrastructure of the CA not being ready for SHA-2 completely, it was signed by an SHA-1 intermediate CA, causing trouble now. WTF!

Here is a small guide on how to create secure certificates:


# create a 2048 bit private key
openssl genrsa -out my-domain-name.key 2048

# create a csr which uses the key created previously and set's the flag to use SHA-256 aka SHA-2
openssl req -new -sha256 -key my-domain-name.key -out my-domain-name.csr

The Certificate

Upload the CSR to a public CA which offers full SHA-2 compliance (I used RapidSSL) and make sure to choose SHA-2 for the complete chain. Sometimes stated as SHA-2 certificate with RSA and SHA-2 root. Download your new certificate after completing the creation process.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.