It's time to replace those SHA-1 SSL certificates
It's time to check/validate SSL certificates in use. Soon certificates who uses SHA-1 SSL will generate a warning in all major browsers.
Microsoft, Chrome, and Firefox all recently deprecated SHA-1, and plan to turn it off in 2017.
Almost all my self signed cerificates (used only for personal stuff) were using SHA-1. They'll have to be renewed and generated with the -sha256 parameter to OpenSSL.
A lot of usefull OpenSSL instructions can be found at
I'm also using a few free (but valid) cerificates from StarSSL. With StartSSL you have to combine a StartSSL pem file with the certificate you get from them. The instructions for Nginx is still pointing to an pem file using SHA-1. A pem file from StartSSL using SHA-2 is located at the following URL.
http://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
I used this file together with my certificate and everything worked fine. No more SHA-1 warnings at https://www.ssllabs.com/ssltest
A lot more information about this change can be found at: https://shaaaaaaaaaaaaa.com/