Weak signature detected on certificates in chain

Rule from ssl under security category

What is a trooper!

we have submitted your edit to the community for review! We'll review and make it live on the site in the next few hours, the internet thanks you :).

Browse another section of the knowledge base

Suggest an edit


This rule has no content... yet.

Add content to this rule

Or just browse to view rules that have content


Certificate Authority's often issue Intermediate certificates that are used to sign and create new certificates.

On clients that allow connections over HTTPS a list of root are included which are checked for a valid certificate, see root certificates included by Mozilla for example.

These lists often do not include the intermediate certificate and can vary depending on provider/browser and device. It is advised to build a full chain all the way up to the root, but excluding the root itself. This allows all devices, even if they do not have the intermediate certificate, to view the site as verified over https.

The SHA1 signature was used for quite a while to sign certificates, but the signature has proven to be insecure with the advent of faster processors. The signature is being phased out and will start giving warnings to users when a certificate is found using the signature after Dec 2016.

How do I fix this ?

Verify that all certificates supplied in the chain (excluding the root) are not signed using a SHA1 signature. If they are, either request a renwenal of the servers' certificate or any Intermediate certificates found to be signed using SHA1.

Most Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) now provide a intermediate certificate that has not been signed with SHA1 as a alternative to download and use.

Newer options include free certificates from Let's Encrypt which will provide a actual signed certificate that can be used for local/internal and public sites. Which takes the management out of the server admin's hands to fix these problems.

Providers like Cloudflare have also started providing SSL certificates for any websites going through their proxy, making it easy to give any website HTTPS if there is no control over the actual web server.


Browse another section of the knowledge base

Signup icon
Ready to see how well your site scores?

Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.

Sign up to get started