Recent efforts by browsers urge administrators to update SSL security on websites. This includes a big push to upgrade legacy SHA-1 certificates to SHA-256. Staying up-to-date is critical for ongoing data security issues and keeping online trust.

The Chrome browser led the way in how browsers are choosing to handle SHA-1 Certificates, and customers and users on some sites secured by DigiCert have reported that they are getting an error that reads, “This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.”

The problem is related to a locally installed legacy intermediate certificate that is no longer used or required for the certificate installation. The problem can affect any client platform with a locally cached or installed intermediate certificate.

Legacy Intermediate Certificate

The certificate in question is the “DigiCert High Assurance EV Root CA” certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices. This certificate is unnecessary for installations.

Error

The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.

One of the reasons this error will appear is if there is a cross-signed SHA-1 intermediate certificate in your certificate chain.

Is the Error on the Server or Browser Side?

To determine where the error is occurring, use DigiCert SSL Installation Diagnostic Tool. Type in the name of your server and click “Check Server.” If a cross-signed intermediate certificate shows up in the certificate chain then the problem is on the server side. If there is no intermediate certificate in the chain, then the problem is on the browser side. To fix the error on the browser, side click here.

Instructions for Fixing the Error on the Server Side

How to Remove the Cross-signed Intermediate Certificate for Windows

How to Remove the Cross-signed Intermediate Certificate for Apache and Nginx

How to Remove the Cross-Signed Intermediate Certificate for Windows

To fix the error, you need to remove the cross-signed intermediate certificate so it does not bridge over to another Certificate Authority’s root certificate.

These instructions were created on Windows Server 2012. You may need to modify these instructions depending on which version of the operating system you are using.

Open Microsoft Management Console as an admin. On the Windows Start screen, type mmc. Right-click on mmc.exe and then click Run as administrator. In the User Account Control window, click Yes to allow the program to make changes to the computer. In the MMC Console, click File > Add/Remove Snap-in. In the Add or Remove Snap-ins window, under Available snap-ins, select Certificates and then click Add.

In the Certificate snap-in window, select Computer account so you can manage the certificates that are installed on this computer.

In the Select Computer window, select Local computer: (the computer this console is running on) and click Finish.

In the Add or Remove Snap-ins window, click OK.

In the MMC Console tree, expand Intermediate Certification Authorities; click on the Certificates.

Find the file under the Issued To section titled “DigiCert High Assurance EV Root CA” and Issued By “Baltimore CyberTrust Root.”

Right-click on the “Baltimore CyberTrust Root” and click Delete. Restart the server.

How to Remove the Cross-signed Intermediate Certificate for Apache and Nginx

Apache

Edit the SSLCertificateChainFile /path/to/DigiCertCA.crt directive to include only one certificate.

Nginx

Edit the ssl_certificate /etc/ssl/your_domain_name.pem; to include only the server certificate and its issuing intermediate certificate.

No Action Required for Most Certificate Installations

All recent installations of certificates issued by DigiCert include the most up-to-date intermediates in order to establish trust with browsers.

If you have problems on other operating systems, please contact support so we can get additional details and update our documentation for other users to resolve the cached intermediate error.

If you need assistance with this or any other issues, our Support Team is always happy to help.