As of late 2014, SHA1 certificates and it's SHA1 trust chain (not including the Root CA) will be considered insecure by Google Chrome.
A three step process will increase the severity of the warning:
- Initially SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle
![alert icon]()
- Severity will increase thereafter, where:
SHA1 certificates that expire between 2016/6/1 and 2016/12/31, inclusively, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle.![alert icon]()
SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Neutral, no security" icon. This is the blank page icon, as shown by HTTP URLs.
- Finally Chrome will render websites with SHA1 certificates that expire on/after 2017/1/1 and which contain SHA-1-based signatures in the validated chain, with the "Affirmatively insecure, major errors" icon. The "Affirmatively insecure, major errors"icon is a lock with a red X.
![red https]()
To resolve this issue SHA2 certificates must be installed.
Google: Gradually sunsetting SHA-1
What about the Cross Root Chaining? For example:
Chain one : >> (1) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca1(N/A)
or
Chain two : >> (2) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha1)<- ca2-ca2(N/A)
or
Chain three: >> (3) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha256) <- ca2-ca2(N/A)
As per Ryan from Google:
On the platforms where this is the case, the peer supplying ca1-ca2(sha256) as part of the handshake ensures that (3) is preferred, if ca2 is trusted."