It's time to replace those SHA-1 SSL certificates

It's time to check/validate SSL certificates in use. Soon certificates who uses SHA-1 SSL will generate a warning in all major browsers.

Microsoft, Chrome, and Firefox all recently deprecated SHA-1, and plan to turn it off in 2017.

Almost all my self signed cerificates (used only for personal stuff) were using SHA-1. They'll have to be renewed and generated with the -sha256 parameter to OpenSSL.

A lot of usefull OpenSSL instructions can be found at

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

I'm also using a few free (but valid) cerificates from StarSSL. With StartSSL you have to combine a StartSSL pem file with the certificate you get from them. The instructions for Nginx is still pointing to an pem file using SHA-1. A pem file from StartSSL using SHA-2 is located at the following URL.

http://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem

I used this file together with my certificate and everything worked fine. No more SHA-1 warnings at https://www.ssllabs.com/ssltest

A lot more information about this change can be found at: https://shaaaaaaaaaaaaa.com/