Chrome v18, self signed certs, “signed using a weak signature algorithm”, and an internal CA

Today when I was accessing some internal resources that are protected with an SSL cert that has been signed by the internal CA, I got an SSL error I hadn’t seen before: “This site’s security certificate is signed using a weak signature algorithm!” (see image below). With a quick test it was clear this was only an issue with Chrome. And a few Googlings later I found it was thanks to a recent auto-upgrade to Chrome 18. Most of the Google hits were discussing this error in the context of Facebook – apparently some facebook servers are configured with an old, expired intermediate certificate. But this was not the case with my server cert, signed with the internal CA cert.

Digging some more, I came across a post by Dave Christiansen where he points out an obscurely documented switch for openssl req command. That works great for single self signed certs, but what if you’re using an internal CA? The CA cert can be created with “-sha512” command using “openssl req” (as outlined in Dave’s post), but then when you sign server certs with “openssl ca” – even when you’ve created the CA cert with the “-sha512” switch – Chrome still throws the same error.

The trick is to specify an equally obscurely documented argument “sha512” for the “-md” switch with “openssl ca”, like so:

openssl ca -md sha512 -config /etc/ssl/openssl.cnf.internalCA -policy policy_anything -in -out -keyfile ../private/internalCA.key -days 3650

Now the signed server certificate reflects “sha512RSA” as the Signature algorithm, and the Chrome error is gone.

10 thoughts on “Chrome v18, self signed certs, “signed using a weak signature algorithm”, and an internal CA”

  1. I found this site after running into the problem of Chrome not loading the Chrome web store because of the weak algorithm signature. I didn’t even have the option to proceed anyway, just go back. I am not familiar with any of the coding and language you mentioned in your post but you sound like someone who know why Chrome is doing this. Could you explain a solution to allow me to get to the Chrome App Store and other sites that are having this weak algorithm signature problem? I am pretty good with computers but the stuff you were talking about was lost on me. 🙂

    Thanks for any help,

  2. Christian, this post was specifically about a situation where an SSL cert signed by an internal (e.g. your own) Certificate Authority causes the “weak signature algorithm” error. In other circumstances, such as in the case of a similar problem with some Facebook servers that is widely discussed on the net, the error may not have been caused by the signing of that specific server’s certificate, but instead by a “weak link” in the Root Certificate Authority chain (i.e. a problem with an intermediate certificate).

    However, I doubt Google’s Chrome web store cert would have such an issue since they are the one who pulled the trigger on this specific sensitivity (i.e. Firefox or IE don’t give any error when accessing the same locations), so the problem you’re experiencing is most likely on the client side, with your browser. I would suggest to make sure you have the latest version of Chrome, purge the browser cache, and then try again.

  3. I keep recieving this problem, but I have already cleared by browser cache, done a malware sweep, reinstalled chrome, restarted my computer, and done pretty much everything short of dancing around my computer with a dead chicken reciting the alphabets backwards. Chrome is up to date and I cannot find anything on any webpage that helps me (even this page, where the solution you outline is a bit beyond my grasp). What can I do?

  4. My post was discussing a situation where you own the server/site whose SSL cert is self-signed with an internal CA cert. When that’s done without the “-md sha512” parameter, it’ll give anyone attempting to access the site with the latest version of Chrome the “signed using a weak signature algorithm” -error.

    But clearly Google messed with Chrome’s SSL tolerances in some other ways, too, as yours and Christian’s problems are most likely not caused by an issue on the server side (such as when accessing Chrome web store). Some part of the issue may border being a bug rather than a tolerance change is sites with valid certs trigger the warning. In that case an update in near future will likely fix the issue.

    Unfortunately I don’t have any obvious further suggestions to give since I’m not experiencing the problem myself with sites like Chrome web store. You could try accessing the same SSL-protected sites on couple of different computers – do you see the same problem?

  5. UM,… WOW…. no help at all,.. this and that dave chastain or whatever are the only pages i can get to, and they are both useless.

  6. @rich.. This post was about a very specific situation that results from combination of Chrome’s new sensitivity to certificate encryption level and use of certificates signed with an internal Certificate Authority. Dave’s post related to the same situation without an internal CA (the only difference to my post is that an internal CA groups self-signed ad hoc certs). There’s a lot of chatter on the web about Chrome and some facebook servers and other issues caused by the minimum encryption level required by the latest Chrome version, so it’s pretty certain that other [edge] cases exist as well.

  7. Awesome! I ran into the Chrome complaint late last night, and was able to fix things up with your help in no time at all, despite being bleary-eyed and in a hurry. Thanks so much for the post!

  8. Yep haveing same issues but also something has cause my windows security center to not work at the same time .I have tried many fixes but none work.I show no viruses or malware.(useing security essential and malwarebyte I started to use comodo firewall )as windows firewall will not start and yet has no error codes.When i try the fixit or other tools from the microsoft help sites none of the fixes seem to work.In the scans they do not detect virus protection (msc)is installed and have reinstalled and it still does not detect it.All I can think is someone hacked in shut down security (firewalls )and started messing with others settings .

  9. Just received the above error today….did all the sweeps…now will try to update chrome…thanks…very scary when a big red screen indicates a problem….I do not understand the descriptions other than to scan and update….if that is not it…I am in big trouble

  10. Hi,

    I wanted to take the time to thank you. md5 looks like its on it’s way out and I’m actually glad I got the error. sha512 is the new setting and the error disappeared.

    Yes, CA Root run internally. Anyway, your post helped, thanks for finding this out and then actually sharing it with the rest of the world.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.