Security 101 05-22-2015

How to Fix “Site Is Using Outdated Security Settings” on Browser

Flavio Martins

Browsers have recently increased efforts to encourage administrators to take advantage of updated SSL security in order to better protect sites and users. These efforts include the requirement for websites to transition to use SHA-256 certificates instead of the legacy SHA-1 certificates for online encryption.

The Chrome browser has been particularly aggressive in how it handles SHA-1 Certificates, and customers and users on some sites secured by have reported they are getting an error that reads, “The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."

Fixing the 'outdated security settings' error is a matter of updating a few settings on your browser.

The problem is related to a locally installed legacy intermediate certificate that is no longer used and no longer required for the certificate installation. The problem can affect any client platform with a locally cached or installed intermediate certificate.

Legacy Intermediate Certificate

The certificate in question is the “ High Assurance EV Root CA” certificate. This temporary intermediate certificate was used in years ago as part of a compatibility chain for older devices. This certificate is unnecessary for installations.

Error

The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.



If there is a cross-signed SHA-1 intermediate certificate in your certificate chain, this message may appear.

Is the Error on the Browser or Server Side?

To determine where the error is occurring, use SSL Installation Diagnostic Tool. Type in the name of your server and click “Check Server.” If a cross-signed intermediate certificate shows up in the certificate chain, then the problem is on the server side. If there is no intermediate certificate in the chain, then the problem is on the browser side. To fix the error on the server side, click here.

To fix the error on the browser side see the instructions below:

How to Remove the Cross-Signed Intermediate Certificate for Windows

How to Remove the Cross-Signed Intermediate Certificate for Mac

How to Remove the Cross-Signed Intermediate Certificate for Windows

Internet Explorer

Chrome

Firefox

How to Remove the Cross-Signed Intermediate Certificate for Internet Explorer

  1. In Internet Explorer, go to Internet Options.


  2. In the Internet Options window, on the Content click Certificates.



  3. In the Certificates window, on the Intermediate Certification Authorities tab; you should see the "Baltimore CyberTrust Root".

  4. Select the "Baltimore CyberTrust Root" and click Remove.

How to Remove the Cross-Signed Intermediate Certificate for Chrome

  1. In Chrome, go to Settings.

  2. On the Settings page, below Default browser, click Show advanced settings . . ..

  3. Under HTTPS/SSL, click Manage certificates.

  4. In the Certificates window, on the Intermediate Certification Authorities tab; you should see the "Baltimore CyberTrust Root".

  5. Select the "Baltimore CyberTrust Root" and click Remove.

How to Remove the Cross-Signed Intermediate Certificate for Firefox

  1. In Firefox, go to Options.

  2. In the Options window, click Advanced; next, click the Certificates tab, and then click View Certificates.

  3. Click on the Authorities tab.



  4. Select " High Assurance EV Root CA" and click Delete or Distrust. . ..

  5. Click OK.

How to Remove the Cross-Signed Intermediate Certificate for Mac

Safari

Chrome

Firefox

How to Remove the Cross-Signed Intermediate Certificate for Safari

  1. Open Keychain Access.
  2. In the Finder window, under Favorites, click Applications, click Utilities, and then click Keychain Access.

  3. In the Keychain Access window, under Keychains,click System. Under Category, click Certificates and you should see " High Assurance EV Root CA."
    Expired Certificate Note: If you are searching for an expired " High Assurance EV Root CA" certificate, in the Keychain Access toolbar, click View > Show Expired Certificates and search for the " High Assurance EV Root CA."
  4. Click on " High Assurance EV Root CA."

  5. In the Keychain Access window toolbar at the top click Edit;scroll down and click Delete.

How to Remove the Cross-Signed Intermediate Certificate for Chrome

  1. In Chrome, go to Settings.

  2. On the Settings page, below Default browser, click Show advanced settings . . ..

  3. Under HTTPS/SSL, click Manage certificates.

  4. In the Keychain Access window, under Keychains, click System. Under Category, click Certificatesand you should see " High Assurance EV Root CA."
    Expired Certificate Note: If you are searching for an expired " High Assurance EV Root CA" certificate, in the Keychain Access toolbar, click View > Show Expired Certificates and search for the " High Assurance EV Root CA."
  5. Click on " High Assurance EV Root CA."

  6. In the Keychain Access window click Edit then click Delete.

How to Remove the Cross-Signed Intermediate Certificate for Firefox

    1. In Firefox, go to Preferences.

    2. In the Preferences window, click Advanced; Click the Certificates and then click View Certificates.

    3. In the Certificate Manager window, click Authorities.

    4. Scroll down and find " High Assurance EV Root CA."
    5. Click on " High Assurance EV Root CA" and then click Delete or Distrust . . ..

    6. Click OK.

No Action Required for Most Certificate Installations

All recent installations of certificates issued by include the most up-to-date intermediates in order to establish trust with browsers.

If you have problems on another operating system, so we can get additional details and update our documentation for other users to resolve the cached intermediate error. If you need assistance with this or any other issues, our is always happy to help.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for TrustCore SDK

10-31-2024

Announcing the GA release of Device Trust Manager