SSL : How to check if current certificate is sha1 or sha2

Got an email notification today by my SSL certificate provider, highlighting the weaknesses of SHA1 SSL certificate( which is roughly used by 90% of the SSL-ed websites out there ) and urging me to regenerate the certificates to SHA2 standard. If not, then sometimes in future, Google Chrome will marked the SHA1 https to be insecure https.

In this tutorial, we will learn how to check if the current SSL certificate is sha1 or sha2

1st method :

Use https://www.sha2sslchecker.com to check your website SSL cert. If your certificate is SHA2 . You will see a big green table with the description

Algorithm Type : sha256WithRSAEncryption

If your certificate is SHA1, then you will see a red table with the description

Algorithm Type : sha1WithRSAEncryption

At the time of writing this tutorial, checking maybank2u.com website with https://www.sha2sslchecker.com/www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do?action=Login will produce a big red flag.

2nd method:

This is to check your website certificate from the command line :

openssl s_client -connect www.yoursite.com:443 < /dev/null 2>/dev/null

| openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"

the result should look like

Signature Algorithm: sha1WithRSAEncryption for sha1

and

Signature Algorithm: sha256WithRSAEncryption for sha2

Remember to generate new SSL certificates that are SHA2 standard if your website still using SHA1 Algorithm.

References :

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html