Recent efforts by browsers urge administrators to update SSL security on websites. This includes a big push to upgrade legacy SHA-1 certificates to SHA-256. Staying up-to-date is critical for ongoing data security issues and keeping online trust.
The Chrome browser led the way in how browsers are choosing to handle SHA-1 Certificates, and customers and users on some sites secured by have reported that they are getting an error that reads, “This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."
The problem is related to a locally installed legacy intermediate certificate that is no longer used orrequired for the certificate installation. The problem can affect any client platform with a locally cached or installed intermediate certificate.
The certificate in question is the “ High Assurance EV Root CA” certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices. This certificate is unnecessary for installations.
One of the reasons this error will appear is if there is a cross-signed SHA-1 intermediate certificate in your certificate chain.
To determine where the error is occurring, use SSL Installation Diagnostic Tool. Type in the name of your server and click “Check Server.” If a cross-signed intermediate certificate shows up in the certificate chain then the problem is on the server side. If there is no intermediate certificate in the chain, then the problem is on the browser side. To fix the error on the browser, side click .
How to Remove the Cross-signed Intermediate Certificate for Windows How to Remove the Cross-signed Intermediate Certificate for Apache and Nginx
To fix the error, you need to remove the cross-signed intermediate certificate so it does not bridge over to another Certificate Authority’s root certificate.
These instructions were created on Windows Server 2012. You may need to modify these instructions depending on which version of theoperating system you are using.
Edit theSSLCertificateChainFile /path/to/CA.crt directive to include only one certificate.
Edit the ssl_certificate /etc/ssl/your_domain_name.pem; to include only the server certificate and its issuing intermediate certificate.
All recent installations of certificates issued by include the most up-to-date intermediates in order to establish trust with browsers.
If you have problems on other operating systems, so we can get additional details and update our documentation for other users to resolve the cached intermediate error.
If you need assistance with this or any other issues, is always happy to help.