Why does Chrome on 1 computer say my certificate is invalid/insecure? [duplicate]

Solution 1:

The reason is explained on StartCOM's forum:

https://forum.startcom.org/viewtopic.php?f=15&t=15929&p=21716

And on Chrome's:

https://code.google.com/p/chromium/issues/detail?id=473105

It is indeed SHA1.

It's due to Windows' or Chrome's certificate cache. Because they (old and new intermediary cert) have the same name, the client will use the cached variant, which might be old and SHA1. The naming is StartCOM's fault. The bad caching is Windows' or Chrome's fault. They're not working very hard to fix it.

SSL checkers don't have the same problem, because they don't use cached anything.

Different computers have different results, because the cache is local.

The (very specific, local) solution on the StartCom forum works for me: clear cert from local cache, to trigger redownload of new cert, but it's not really a solution for all other users. (In my case only a few, so no problem.)

Solution 2:

I believe this might have to do with the deprecation of SHA-1. Early this year, Google made a change on its Chrome 41 browser.Accordingly, 'sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA1-based signature as part of the certificate chain, will be treated as “affirmatively insecure” '. Trusted root certificates using SHA1 are not affected. Clients trust them for identity purposes and not for the strength of their signature algorithm'. This was a direct quote from the above link.

I checked your certificate - it expires after 01/2017 and although the certificate for your domain was signed using SHA-2, the intermediate chain certificate for 'StartCom Class 2 Primary Intermediate Server CA' that you are using uses SHA-1 signature algorithm. The intermediate also expires after 01/2017.