Browsers have recently increased efforts to encourage administrators to take advantage of updated SSL security in order to better protect sites and users. These efforts include the requirement for websites to transition to use SHA-256 certificates instead of the legacy SHA-1 certificates for online encryption.
The Chrome browser has been particularly aggressive in how it handles SHA-1 Certificates, and customers and users on some sites secured by DigiCert have reported they are getting an error that reads, “The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."
Fixing the 'outdated security settings' error is a matter of updating a few settings on your browser.
The problem is related to a locally installed legacy intermediate certificate that is no longer used and no longer required for the certificate installation. The problem can affect any client platform with a locally cached or installed intermediate certificate.
Legacy Intermediate Certificate
The certificate in question is the “DigiCert High Assurance EV Root CA” certificate. This temporary intermediate certificate was used in years ago as part of a compatibility chain for older devices. This certificate is unnecessary for installations.
Error
The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.
If there is a cross-signed SHA-1 intermediate certificate in your certificate chain, this message may appear.
Is the Error on the Browser or Server Side?
To determine where the error is occurring, use DigiCert SSL Installation Diagnostic Tool. Type in the name of your server and click “Check Server.” If a cross-signed intermediate certificate shows up in the certificate chain, then the problem is on the server side. If there is no intermediate certificate in the chain, then the problem is on the browser side. To fix the error on the server side, click here.
To fix the error on the browser side see the instructions below:
How to Remove the Cross-Signed Intermediate Certificate for Windows
How to Remove the Cross-Signed Intermediate Certificate for Mac
How to Remove the Cross-Signed Intermediate Certificate for Windows
How to Remove the Cross-Signed Intermediate Certificate for Internet Explorer
- In Internet Explorer, go to Internet Options.
- In the Internet Options window, on the Content click Certificates.
- In the Certificates window, on the Intermediate Certification Authorities tab; you should see the "Baltimore CyberTrust Root".
- Select the "Baltimore CyberTrust Root" and click Remove.
How to Remove the Cross-Signed Intermediate Certificate for Chrome
- In Chrome, go to Settings.
- On the Settings page, below Default browser, click Show advanced settings . . ..
- Under HTTPS/SSL, click Manage certificates.
- In the Certificates window, on the Intermediate Certification Authorities tab; you should see the "Baltimore CyberTrust Root".
- Select the "Baltimore CyberTrust Root" and click Remove.
How to Remove the Cross-Signed Intermediate Certificate for Firefox
- In Firefox, go to Options.
- In the Options window, click Advanced; next, click the Certificates tab, and then click View Certificates.
- Click on the Authorities tab.
- Select "DigiCert High Assurance EV Root CA" and click Delete or Distrust. . ..
- Click OK.
How to Remove the Cross-Signed Intermediate Certificate for Mac
How to Remove the Cross-Signed Intermediate Certificate for Safari
- Open Keychain Access.
- In the Finder window, under Favorites, click Applications, click Utilities, and then click Keychain Access.
- In the Keychain Access window, under Keychains, click System. Under Category, click Certificates and you should see "DigiCert High Assurance EV Root CA."
Expired Certificate Note: If you are searching for an expired "DigiCert High Assurance EV Root CA" certificate, in the Keychain Access toolbar, click View > Show Expired Certificates and search for the "DigiCert High Assurance EV Root CA."
- Click on "DigiCert High Assurance EV Root CA."
- In the Keychain Access window toolbar at the top click Edit; scroll down and click Delete.
How to Remove the Cross-Signed Intermediate Certificate for Chrome
- In Chrome, go to Settings.
- On the Settings page, below Default browser, click Show advanced settings . . ..
- Under HTTPS/SSL, click Manage certificates.
- In the Keychain Access window, under Keychains, click System. Under Category, click Certificates and you should see "DigiCert High Assurance EV Root CA."
Expired Certificate Note: If you are searching for an expired "DigiCert High Assurance EV Root CA" certificate, in the Keychain Access toolbar, click View > Show Expired Certificates and search for the "DigiCert High Assurance EV Root CA."
- Click on "DigiCert High Assurance EV Root CA."
- In the Keychain Access window click Edit then click Delete.
How to Remove the Cross-Signed Intermediate Certificate for Firefox
- In Firefox, go to Preferences.
- In the Preferences window, click Advanced; Click the Certificates and then click View Certificates.
- In the Certificate Manager window, click Authorities.
- Scroll down and find "DigiCert High Assurance EV Root CA."
- Click on "DigiCert High Assurance EV Root CA" and then click Delete or Distrust . . ..
- Click OK.
No Action Required for Most Certificate Installations
All recent installations of certificates issued by DigiCert include the most up-to-date intermediates in order to establish trust with browsers.
If you have problems on another operating system, please contact support so we can get additional details and update our documentation for other users to resolve the cached intermediate error. If you need assistance with this or any other issues, our SSL Support Team is always happy to help.