Check if my SSL Certificate is SHA1 or SHA2
Sha1Sha2Sha1 Problem Overview
I have tried to find the answer to this but I couldn't find an answer...
How do I check if my SSL Certificate is using SHA1 or SHA2?
Reason I ask is because it might have to do with the certificate not loading on Mozilla Browers....
Any ideas? Can I check through cPanel?
Sha1 Solutions
Solution 1 - Sha1
Use the Linux Command Line
Use the command line, as described in this related question: https://stackoverflow.com/questions/26473076/how-do-i-check-if-my-ssl-certificate-is-sha1-or-sha2-on-the-commandline.
###Command
Here's the command. Replace www.yoursite.com:443 to fit your needs. Default SSL port is 443:
openssl s_client -connect www.yoursite.com:443 < /dev/null 2>/dev/null \
| openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
###Results
This should return something like this for the sha1:
Signature Algorithm: sha1WithRSAEncryption
or this for the newer version:
Signature Algorithm: sha256WithRSAEncryption
###References
The article Why Google is Hurrying the Web to Kill SHA-1 describes exactly what you would expect and has a pretty graphic, too.
Solution 2 - Sha1
Update: The site below is no longer running because, as they say on the site:
> As of January 1, 2016, no publicly trusted CA is allowed to issue a SHA-1 certificate. In addition, SHA-1 support was removed by most modern browsers and operating systems in early 2017. Any new certificate you get should automatically use a SHA-2 algorithm for its signature. > > Legacy clients will continue to accept SHA-1 certificates, and it is possible to have requested a certificate on December 31, 2015 that is valid for 39 months. So, it is possible to see SHA-1 certificates in the wild that expire in early 2019.
Original answer:
You can also use https://shaaaaaaaaaaaaa.com/ - set up to make this particular task easy. The site has a text box - you type in your site domain name, click the Go button and it then tells you whether the site is using SHA1 or SHA2.
Solution 3 - Sha1
You can check by visiting the site in your browser and viewing the certificate that the browser received. The details of how to do that can vary from browser to browser, but generally if you click or right-click on the lock icon, there should be an option to view the certificate details.
In the list of certificate fields, look for one called "Certificate Signature Algorithm". (For StackOverflow's certificate, its value is "PKCS #1 SHA-1 With RSA Encryption".)
Solution 4 - Sha1
openssl s_client -connect api.cscglobal.com:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm" | cut -d ":" -f2 | uniq | sed '/^$/d' | sed -e 's/^[ \t]*//'
Solution 5 - Sha1
I had to modify this slightly to be used on a Windows System. Here's the one-liner version for a windows box.
openssl.exe s_client -connect yoursitename.com:443 > CertInfo.txt && openssl x509 -text -in CertInfo.txt | find "Signature Algorithm" && del CertInfo.txt /F
Tested on Server 2012 R2 using http://iweb.dl.sourceforge.net/project/gnuwin32/openssl/0.9.8h-1/openssl-0.9.8h-1-bin.zip