Chrome ‘Weak Signature Algorithm’ Solved

For people who have – (or have automatically had) – their Google Chrome installation upgraded to version 18 or later, you may have noticed the following error message on some sites you are accessing over SSL/HTTPS:

This has been mostly the case for people – (developers in particular) – accessing sites with self-signed certificates, like I do with a number of development projects I deal with.

At lot of people suggested that it is a bug with the latest version of Chrome – and it still may well be – but there is a workaround.

This error seems to occur when the self-signed certificates are hashed with the MD5 algorithm. This is not uncommon, as the example certificate creation routine supplied by OpenSSL, which most people follow, runs through an example that uses the MD5 algorithm, which Chrome appears to be declaring to be too weak a hashing algorithm.

Honestly, that’s probably correct too. However, if this isn’t a bug, it seems that Google has made this call arbitrarily.

The solution?

Change the hashing from MD5 to SHA512.

If you create your certificates directly from the command line, use the -sha512 switch instead of the -md5 switch – for example:

“openssl req -new -x509 -sha512 -nodes -out server.crt -keyout server.key”

If using an “openssl.cnf” configuration file, make sure all “default_md” directives have “sha512” as their values.

“default_md = sha512”

Your new keys should now be signed with SHA512 instead of MD5, and no more complaints from Google Chrome about the weak algorithm.