0

When check my server certificate get error:

One of the certificates is signed with a SHA1 signature. We recommend that you reissue or replace this certificate with one that uses a SHA-2 signature. Contact your SSL provider about how to do this. Read more about the SHA-1 deprecation here.

This error its because server apache show SHA1 instead SHA2

On my servers with Centos not problem.

How to update or force Apache for only use SHA2 ?

abkrim
  • 292
  • 3
  • 11
  • Apache uses the certificates that you've installed. Get a new certificate, ensuring that there are no SHA1 in the path, then install it. – garethTheRed Jun 26 '16 at 07:43
  • That it's not correct. Apache uses your certificates and Root Certificates. It's a process on SSL connections. The problem it's not my certificate. It's Root certificates on Apache or System. I don'tkno how to update Ubuntu for update Root certificates (with .deb packages not workaround) – abkrim Jun 26 '16 at 11:48
  • The certificate you were issued chains up to a root certificate. Somewhere along that chain is a SHA1 certificate. It's that simple. You can't _force_ Apache to use a SHA1 certificate because it has no control of the certificate chain - it simply sends the chain that your CA has given you and that you've configured it to use. That is down to the certification authority and/or you - not Apache. – garethTheRed Jun 26 '16 at 18:38
  • I still do not agree with you. The certificate is not the problem, because that certificate works perfectly on another server. The point is that the Apache Web server sends a Root CA, and please read this, SHA1 signature. SSL does'nt offer a single point. It is a mechanism in which several certificates and various processes involved. Common name: AddTrust External CA Root Organization: AddTrust AB Location: SE Thank you. – abkrim Jun 27 '16 at 06:53
  • Two points - 1st, it does not matter if the Root CA certificate is signed using SHA1. Have a look at Google's certificates if you want a real world example. 2nd, Apache cannot configure the signature algorithm - that is added by the superior CA during the signing of the certificate. If it was changeable at run-time, then the whole concept of X509 certificates would break. You have a certificate, which was signed by 0 or more subordinate CAs, which was finally signed by a Root. Apache will send the certs you configure it to send using `SSLCertifcateFile` and `SSLCertificateChainFile` – garethTheRed Jun 27 '16 at 07:23

0 Answers0