SHA1 & Google Chrome Checker
Beginning in October 2014, Google Chrome will start to show warnings for many sites with SSL/TLS certificates signed with the aging SHA1 signature algorithm.
Google Chrome will slowly phase this in based on when the end-identities certificate expires (and if any certificate uses SHA1). Depending on the end-identities expiry date will depend on the severity of the warning - also - each consecutive version of Google Chrome, beginning with Google Chrome 39, will potentially make the warning more severe.
Type in a website below, that uses SSL/TLS, to check if it is affected, and if so, which warning will occur and approximately when.
- Qualys Blog has a great overview available.
- Of course, check out the Google's official announcement.
- The solution is to move to SHA2 (which is a set of hashes which includes SHA256), but this breaks Windows XP SP2 and below - Global Sign has a good writeup on SHA256 compatibility.
- Microsoft has an existing SHA1 deprecation policy for certificates issued after 2017-01-01.
- Many SSL/TLS Certificate Authorities will resign your existing certificates with SHA256 for free.
- I believe the Apache Web Server supports multiple certificates, so if SHA1 support is required, you *might* be able to avoid Google Chrome's SHA1 warnings and support very old clients (Windows XP SP2).