Chrome v18, self signed certs, “signed using a weak signature algorithm”, and an internal CA

Today when I was accessing some internal resources that are protected with an SSL cert that has been signed by the internal CA, I got an SSL error I hadn’t seen before: “This site’s security certificate is signed using a weak signature algorithm!” (see image below). With a quick test it was clear this was only an issue with Chrome. And a few Googlings later I found it was thanks to a recent auto-upgrade to Chrome 18. Most of the Google hits were discussing this error in the context of Facebook – apparently some facebook servers are configured with an old, expired intermediate certificate. But this was not the case with my server cert, signed with the internal CA cert.

Digging some more, I came across a post by Dave Christiansen where he points out an obscurely documented switch for openssl req command. That works great for single self signed certs, but what if you’re using an internal CA? The CA cert can be created with “-sha512” command using “openssl req” (as outlined in Dave’s post), but then when you sign server certs with “openssl ca” – even when you’ve created the CA cert with the “-sha512” switch – Chrome still throws the same error.

The trick is to specify an equally obscurely documented argument “sha512” for the “-md” switch with “openssl ca”, like so:

openssl ca -md sha512 -config /etc/ssl/openssl.cnf.internalCA -policy policy_anything -in -out -keyfile ../private/internalCA.key -days 3650

Now the signed server certificate reflects “sha512RSA” as the Signature algorithm, and the Chrome error is gone.