1

I attempted to upgrade my one Web site, running nginx, from a SHA-1 SSL123 certificate to a SHA-2 one.

Thawte's Web page with intermediate CAs has "RSA SHA-2 (under SHA-1 Root)" and "RSA SHA-2 (under SHA-2 Root)" tables.

If I use the CA bundle for "under SHA-1 Root", I see that the bundle contains two certificates, and my Web site works. However, Qualys' SSL Test rightfully dings me for having a SHA-2 certificate with SHA-1 in the certificate chain.

However, the "under SHA-2 Root" table does not have bundles. If I use the single intermediate certificate they supply there, Firefox and other tools point out that the certificate chain is broken, and browsers won't load my site.

Right now, I'm using the SHA-1 root, to have a working site. However, I would like to switch to the SHA-2 root.

Where do I get the missing intermediate certificate? Or, if that's not the problem, how do I create a combined certificate file for Thawte's SSL123 fro a SHA-2 certificate with a full chain of SHA-2 intermediate certificates?

Thanks!

CommonsWare
  • 121
  • 1
  • 7

2 Answers2

3

Your own certificate is signed by exactly one certificate.

This means that your certificate is at one end of exactly one of these Thawte chains, you would need a different certificate to be in the other chain (one signed by the intermediate certificate from that chain).

As for the signature of the root certificate being SHA-1, SHA-2 or something else it is of little consequence compared to other certificates in the chain as the validating party already has the root certificates that they trust, they do not need a signature to check the roots. (See eg SHA1 Deprecation: What You Need to Know.)

Examining the certificates in the Thawte SSL123 SHA-2 (under SHA1-Root) chain it turns out that one of the intermediate certificates ("Primary Intermediate CA") is also SHA-1 (not only the root). It is almost assuredly this certificate that you are getting "dinged" for. You'll need to get Thawte to issue you a new certificate signed by the intermediate certificate from the other chain to resolve this.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • That makes sense. What doesn't make sense is why Thawte would be issuing certs that go up the SHA-1 chain here in December 2014. I'll see if I get some tech support love on this one on Monday, and I'll circle back to this question if they confirm what you're saying. Many thanks! – CommonsWare Dec 13 '14 at 21:15
1

It turns out that Thawte's site is just confusing for people who don't work with SSL certs a lot.

Despite the fact that there are two certificates shown for SSL123 SHA2 under SHA-1 Root, you only need the first one. The second certificate is the SHA-1 root, and you don't need it concatenated with your site's cert for deployment to nginx. Just use the first certificate, and you are good to go.

CommonsWare
  • 121
  • 1
  • 7