Note: This project, and much of its documentation, was written in the fall of 2014, when SHA-1 was still very common and the transition was only beginning. As of 2016, all CAs are required to only issue SHA-2, so updating should be easy, and the situation is less dire.
This repository contains the code for shaaaaaaaaaaaaa.com, a tool to check whether your site's certificate is signed using SHA-1 or SHA-2.
Read more about why I built this tool and why replacing SHA-1 is important.
This tool does not validate certificates, or test anything besides SHA-1 vs SHA-2. For that, please visit the magnificent SSL Labs for a far more comprehensive review of your SSL configuration.
No Longer depends on openssl to download certificates. See below for a command line version.
Now that it's 2016: just get a new certificate. As of January 1 2016, all publicly trusted CAs are required to issue only SHA-2 certificates.
To update your intermediate, check what your CA is currently offering as the default, or go through the issuance process again to see what they provide you.
If you somehow get a SHA-1 certificate, or are given a SHA-1 intermediate, open an issue and the folks on this repo will be happy to badger the CA or figure out what's going on.
Check out the issue tracker. The biggest things are:
- How about a bookmarklet, a Firefox extension, or a Chrome extension?
- Some annoying domain errors on edge cases in Google's DNS.
- Mapping out common certificate issuers so we can easily link people to replacements.
- Hunting down more SHA-2 intermediate locations than we currently have on the site.
- More unit tests, especially for intermediate certificates and chained root certificates.
- Getting some Internet SHA-1 stats by running the command line tool over a list of top sites, like Alexa's [CSV download].
Really, just making the site better all around.
This app requires Node. Then, install dependencies:
npm installAnd run the app:
node app.js
For best results, make sure your system is using the latest version of openssl.
To run the tests:
npm test
Tests use faucet, which should have been installed during npm install above.
To check a domain's certificate on the command line, use this repository's command line tool:
./bin/shaaaaaaaaaaaaa sha1-2017.badssl.comThis will exit with code 0, and output formatted JSON to STDOUT:
{
"domain": "sha1-2017.badssl.com",
"cert": {
"algorithm": "sha1",
"raw": "sha1WithRSAEncryption",
"good": false,
"root": false,
"expires": "2017-01-05T12:00:00.000Z",
"name": "*.badssl.com"
},
"intermediates": [
{
"algorithm": "sha1",
"raw": "sha1WithRSAEncryption",
"good": false,
"root": false,
"replacement": "http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt",
"expires": "2023-03-08T12:00:00.000Z",
"name": "DigiCert Secure Server CA"
}
],
"diagnosis": "bad"
}If there's an error, you'll get some JSON with an error flag of true, and the process will exit with code 1:
$ ./bin/shaaaaaaaaaaaaa bad-domain{
"error": true,
"domain": "bad-domain",
"message": "Couldn't lookup hostname."
}This is a tiny tool by Eric Mill. Released under an MIT License.