How To Fix NET:: ERR_CERT_WEAK_SIGNATURE_ALGORITHM

If you are seeing this error while visiting a website, it is probably because the website is using an SSL certificate with an outdated hashing algorithm.

What is the outdated hashing algorithm issue?

Earlier, the SHA-1 hash algorithm was used in the digital certificates to encrypt the data. But in 2017, researchers at the Dutch Research Institute CWI and Google jointly broken the SHA-1 algorithm, which had160-bit longer fingerprint, to prove that SHA-1 was no more secure algorithm to use for a digital certificate. SSL certificates using SHA-1 ceased to be recognized by all the major browsers and operating systems. 

Since 2017, SHA-2, the upgraded version of SHA-1, became the industry norm and made all the certificate authorities to move from SHA-1 to SHA-2. SHA-2 is using 256-bit longer signature key which provides robust security. 

However, the digital certificates issued before 2017, which were using SHA-1 needed to be re-issued with SHA-2. If the website owner has not requested the certificate authority to re-issue the SSL certificate with the new SHA-2 algorithm, the browsers will show the NET:: ERR_CERT_WEAK_SIGNATURE_ALGORITHM error.  

How to get rid of NET:: ERR_CERT_WEAK_SIGNATURE_ALGORITHM error?

Solution For website owners

As a website owner, you need to ask your certificate authority to re-issue the SSL with latest SHA-2 algorithm. Some CAs will charge an extra fee for the same while some CAs will do it for free. 

If you are using RapidSSL, re-issuance is FREE.  

You can also buy a new SSL certificate that, by default, comes with SHA-2. You can get a new SSL certificate for the rates as low as $14.95/year with SHA-2 and $10000 warranty. 

As soon as you have successfully re-issued/purchased and reinstalled the SSL certificate with the latest algorithm, all the browsers will stop showing ERR_CERT_WEAK_SIGNATURE_ALGORITHM error message to your users.  

Solution for web visitors

As you have read above, the permanent solution of the ERR_CERT_WEAK_SIGNATURE_ALGORITHM error is only in the website owner’s hands.  

However, sometimes there are issues with your operating system or browser that show the error even after the website has already shifted from SHA-1 to SHA-2. You can apply the following solutions to know if that is the case. 

Update The Operating System

• Type chrome://settings/help in the Chrome address bar. 
• Chrome will automatically update itself.
• Click on the Relaunch.

Clear Cache Memory

Sometimes the website has already re-issued the SSL with the latest algorithm, but the earlier cache memory of your browser is still showing the error. Clear all the cookies to get rid of the error message.

• Go to Chrome–>click on the menu –>Setting

• Scroll down till the end of the page and click on ‘Advanced’–>Privacy and security –> clear browsing data

• Select all the 3 options and click on ‘clear data.’

• Turn off the browser and restart it.

Reset Chrome

• Type Chrome://settings in Chrome Address bar.
• Click on ‘Advanced’
• Locate ‘Reset settings to their original defaults’ under Reset and clean up
• Click on ‘Reset setting’ tab from the box.

Clear DNS Cache

• Open Chrome 
• Write “chrome://net-internals/#dns” in the address bar.
• Click on Clear-Host Cache Button

If the issue is with DNS, this simple step will solve the problem.

Ignore all the ‘Your Connection is not private’ error. (Not Recommended)

If none of the above options work, it shows that the website you are trying to reach is still using the SSL certificate with an outdated algorithm. In such a case, only the website owner can solve the issue. However, there are some tricks you can use to make your browser ignore such SSL related errors.  

You should apply these tricks only when you are totally sure that the website you are trying to use is safe to visit. We strongly recommend not to share any sensitive financial details (credit card numbers, CVV, ATM PIN, bank account number, routing number) or personal identifiable information-PII (name, date of birth, phone number, email ids, physical address, etc.) on such website. Your information on the website using a weak algorithm can be easily stolen. 

Ignore Certificate Errors From Chrome Properties

Right click on your Chrome icon from your desktop –> Properties –> Shortcut.  

Now write down “-ignore-certificate-errors” after /chrome.exe in the ‘Target’ field. Press Apply, and then OK. Restart the Chrome 

Disable Antivirus Software/Firewall

Some antivirus software and firewalls have inbuilt “HTTPS protection” or “HTTPS scanning” feature. So, they prevent any website that has SSL related error.  You can disable your antivirus program for a while and revisit the website. Do not forget to turn the antivirus on once you are done visiting the website. 

Turn The Extension Off

• Go to Chrome, click on the menu from the top right side.  
• Go to ‘new incognito window.’ 
• Try to open the website in incognito mode. 

If the website gets open without an error, the issue is with Chrome extension. You need to turn off the extensions.

• Go to Chrome. Click on the menu at the top right, 
• Go to More tools  
• Click on Extensions. 
• Find the security-related extensions, for example, Norton Identity Safe, Avast Online Security, HTTPS Everywhere, DotVPN, Windows Defender. Turn on/off: Turn the extension off. 

Clear SSL State

Go to Control panel –> Network and Internet –> Internet Options –> Content.

• Now, click on ‘Clear SSL State.’ 

Continue With An Insecure Connection

If you are totally sure that the website you are trying to open is harmless and want to proceed further on your own risk,

Click on ‘ADVANCED’ on the bottom right of the error page. –> “Proceed to randomsite.com(unsafe)”