I attempted to upgrade my one Web site, running nginx, from a SHA-1 SSL123 certificate to a SHA-2 one.
Thawte's Web page with intermediate CAs has "RSA SHA-2 (under SHA-1 Root)" and "RSA SHA-2 (under SHA-2 Root)" tables.
If I use the CA bundle for "under SHA-1 Root", I see that the bundle contains two certificates, and my Web site works. However, Qualys' SSL Test rightfully dings me for having a SHA-2 certificate with SHA-1 in the certificate chain.
However, the "under SHA-2 Root" table does not have bundles. If I use the single intermediate certificate they supply there, Firefox and other tools point out that the certificate chain is broken, and browsers won't load my site.
Right now, I'm using the SHA-1 root, to have a working site. However, I would like to switch to the SHA-2 root.
Where do I get the missing intermediate certificate? Or, if that's not the problem, how do I create a combined certificate file for Thawte's SSL123 fro a SHA-2 certificate with a full chain of SHA-2 intermediate certificates?
Thanks!
Best Answer
Your own certificate is signed by exactly one certificate.
This means that your certificate is at one end of exactly one of these Thawte chains, you would need a different certificate to be in the other chain (one signed by the intermediate certificate from that chain).
As for the signature of the root certificate being SHA-1, SHA-2 or something else it is of little consequence compared to other certificates in the chain as the validating party already has the root certificates that they trust, they do not need a signature to check the roots. (See eg SHA1 Deprecation: What You Need to Know.)
Examining the certificates in the Thawte SSL123 SHA-2 (under SHA1-Root) chain it turns out that one of the intermediate certificates ("Primary Intermediate CA") is also SHA-1 (not only the root). It is almost assuredly this certificate that you are getting "dinged" for. You'll need to get Thawte to issue you a new certificate signed by the intermediate certificate from the other chain to resolve this.