It's time to replace those SHA-1 SSL certificates

It's time to check/validate SSL certificates in use. Soon certificates who uses SHA-1 SSL will generate a warning in all major browsers.

Microsoft, Chrome, and Firefox all recently deprecated SHA-1, and plan to turn it off in 2017.

Almost all my self signed cerificates (used only for personal stuff) were using SHA-1. They'll have to be renewed and generated with the -sha256 parameter to OpenSSL.

A lot of usefull OpenSSL instructions can be found at

I'm also using a few free (but valid) cerificates from StarSSL. With StartSSL you have to combine a StartSSL pem file with the certificate you get from them. The instructions for Nginx is still pointing to an pem file using SHA-1. A pem file from StartSSL using SHA-2 is located at the following URL.

I used this file together with my certificate and everything worked fine. No more SHA-1 warnings at

A lot more information about this change can be found at: