How to check if SSL certificate is SHA1 or SHA2
While creating SSL certificate, you should ensure that you should created with SHA2 algorithm. There are 3 ways to check this:
Check certificate in browser itself
You can open the website in Chrome using like https://www.mysite.com (or using IP address https://x.x.x.x) and click on
It will open DevTools windows, and you can check information regarding algorithm used.
As you can see that current certificate is SHA-1 certificate with message “The certificate for this sire expired in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.”
Now let see how a SHA-2 signed website looks like; for this visit https://www.google.com and click on green PadLock and it will popup the certificate like below. As you can see that –
Signature algorithm – sha256RSA
Signature hash algorithm – sha256
Check through command line:
$ openssl s_client -connect localhost:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm" Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption $ openssl x509 -noout -text -in localhost.crt | grep "Signature Algorithm" | uniq $ openssl x509 -noout -text -in servercert.pem ### For .pem certificate
Check through online tools:
If your wesbite is accessible from Internet then you can use many online to check SHA1 or SHA2 signed algorithm.
- https://shaaaaaaaaaaaaa.com/ – Check your site for weak SHA-1 certificates.
- https://www.sha2sslchecker.com/ – SHA-2 Testing Tool
- https://shachecker.com/ – Check your website for old encryption algorithm SHA-1