Blog

New Google Chrome certificate warning

The X.509 certificates used to prove server identity in SSL are changing, and it looks like many site administrators may be caught out due to a confusing error report in the latest browsers. SHA-1 digital signatures in SSL certificates are being phased out, and should be entirely gone by 2016 – but plenty of existing certificates have an expiry date set long afterwards.

The latest version of the Chrome browser displays a minor warning symbol if the website’s certificate relies on a SHA-1 signature, and will last beyond the end of 2016. This is the first of a suite of updates of all browsers to deprecate SHA-1. Google described the warnings and how they will change over time in a blog post, but the short story is that the latest version, Chrome 39, warns about SHA-1 certificates expiring after the end of 2016.

Users are fickle about such warnings, and most sites will want to fix this before Chrome 39 is widely deployed (it was released 2 days ago and automatically updates), as it might discourage purchasers, or users might raise a support request, both of which would likely involve more cost than fixing the SSL configuration.

In most cases you just need to get the certificate reissued, which will usually be free of charge from your current certificate provider.

How to tell you need a new certificate?

All the testing tools I tried gave wrong answers (saying the certificate was fine), or incomprehensible (to normal people) answers, so I suggest you get your web server administrator to try ensure they have Chrome 39 or grab the Chrome beta version if it isn’t updating, and test the site carefully. Even recent tests using Chrome 38 won’t show the additional warnings.

Here is an example warning from Chrome 39 beta showing what users will see if your certificate is wrong.

Chrome 39 warning says - the site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it

 

Catching the various SSL sunset issues early can save a considerable amount of heartache later – and this heartache translates directly into effective downtime and real costs. Testing with beta browsers before they’re released can highlight upcoming problems early.