Back
-
Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software
Documents & Signing
IoT & Connected Devices
Manage PKI and Certificate risk in one place
Streamlined Certificate
Management and Automation:
Delivering At-Scale Uptime and Availability
Secure, update, monitor and control connected devices at scale
DOWNLOAD NOW - Buy
-
Insights
Back
Digital Trust for the Real World
Explore these pages to discover how DigiCert is helping organizations establish, manage and extend digital trust to solve real-world problems.
Ponemon Institute Report
See what our global post-quantum study uncovered about where the world stands in the race to prepare for quantum computing.
LEARN MORE >
-
Partners
Back
- Support
- Contact us
- Language
Security 101
05-22-2015
Flavio Martins
How to Fix “Site Is Using Outdated Security Settings” on Server
Recent efforts by browsers urge administrators to update SSL security on websites. This includes a big push to upgrade legacy SHA-1 certificates to SHA-256. Staying up-to-date is critical for ongoing data security issues and keeping online trust.
The Chrome browser led the way in how browsers are choosing to handle SHA-1 Certificates, and customers and users on some sites secured by DigiCert have reported that they are getting an error that reads, “This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."
The problem is related to a locally installed legacy intermediate certificate that is no longer used or required for the certificate installation. The problem can affect any client platform with a locally cached or installed intermediate certificate.
Legacy Intermediate Certificate
The certificate in question is the “DigiCert High Assurance EV Root CA” certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices. This certificate is unnecessary for installations.
Error
The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.
One of the reasons this error will appear is if there is a cross-signed SHA-1 intermediate certificate in your certificate chain.
Is the Error on the Server or Browser Side?
To determine where the error is occurring, use DigiCert SSL Installation Diagnostic Tool. Type in the name of your server and click “Check Server.” If a cross-signed intermediate certificate shows up in the certificate chain then the problem is on the server side. If there is no intermediate certificate in the chain, then the problem is on the browser side. To fix the error on the browser, side click here.
Instructions for Fixing the Error on the Server Side
How to Remove the Cross-signed Intermediate Certificate for Windows How to Remove the Cross-signed Intermediate Certificate for Apache and Nginx
How to Remove the Cross-Signed Intermediate Certificate for Windows
To fix the error, you need to remove the cross-signed intermediate certificate so it does not bridge over to another Certificate Authority’s root certificate.
These instructions were created on Windows Server 2012. You may need to modify these instructions depending on which version of the operating system you are using.
- Open Microsoft Management Console as an admin.
- On the Windows Start screen, type mmc.
- Right-click on mmc.exe and then click Run as administrator.
- In the User Account Control window, click Yes to allow the program to make changes to the computer.
- In the MMC Console, click File > Add/Remove Snap-in.
- In the Add or Remove Snap-ins window, under Available snap-ins, select Certificates and then click Add.
- In the Certificate snap-in window, select Computer account so you can manage the certificates that are installed on this computer.
- In the Select Computer window, select Local computer: (the computer this console is running on) and click Finish.
- In the Add or Remove Snap-ins window, click OK.
- In the MMC Console tree, expand Intermediate Certification Authorities; click on the Certificates.
- Find the file under the Issued To section titled "DigiCert High Assurance EV Root CA" and Issued By "Baltimore CyberTrust Root."
- Right-click on the "Baltimore CyberTrust Root" and click Delete.
- Restart the server.
- Open Microsoft Management Console as an admin.
How to Remove the Cross-signed Intermediate Certificate for Apache and Nginx
Apache
Edit the SSLCertificateChainFile /path/to/DigiCertCA.crt directive to include only one certificate.
Nginx
Edit the ssl_certificate /etc/ssl/your_domain_name.pem; to include only the server certificate and its issuing intermediate certificate.
No Action Required for Most Certificate Installations
All recent installations of certificates issued by DigiCert include the most up-to-date intermediates in order to establish trust with browsers.
If you have problems on other operating systems, please contact supportso we can get additional details and update our documentation for other users to resolve the cached intermediate error.
If you need assistance with this or any other issues, our Support Teamis always happy to help.
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2024 DigiCert, Inc. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings