Charlie Harvey

Quick tip: Making Gandi SHA-2 certificates work with all browsers

At newint we are working our way through our SSL/TLS certificates to make sure they are all signed with SHA2 algorithim, rather than SHA1, which is starting to show its age. SHA2 image

We use Gandi as our certificate provider. As you can see, they have very recently started issuing SHA2 certificates if you sign them with SHA2.

This is a quick guide to how to do that, as I found the docs a bit hard to follow.

When not to use SHA2

If you have to support older browsers, then you may face issues with SHA2 certificates. Also you need a little trickery to make the Gandi certificates work properly with Firefox. Here is a list of browsers that support SHA2.

  • Internet Explorer 6.0+ (on Windows XP SP3+)
  • Firefox 1.5+
  • Netscape 7.1+
  • Mozilla 1.4+
  • Safari from Mac OS X 10.5+
  • Opera 9.0+
  • Konqueror 3.5.6+
  • Chrome 26+

Using SHA2 with Gandi

You will first of all need to generate a CSR for your new certificate. I will assume that you have already generated your private key. openssl req -nodes -sha256 -newkey rsa:2048 -keyout /etc/ssl/certs/YourPrivateKey.key -out /etc/ssl/certs/YourDomain.csr

You will get asked the standard questions that openssl needs for your CSR.

  • Country Name is a two letter country code like GB.
  • State or Province Name could be Oxfordshire or Essex or what have you.
  • Locality Name is a full city name like London.
  • Organization Name is the full name of your organization, eg. MyCompany Ltd.
  • Organizational Unit Name is used to specify a department if you feel the need. I’ve always felt it was rather bureaucratic and unnecessary.
  • Common Name for SSL is the FQDN — the URL of your website, say, For Gandi’s standard certificates, your certificate will be valid for this and

I generally leave the last three fields blank:

  • Email address.
  • A challenge password.
  • An optional company name.

Once you have your CSR made you go through the standard Gandi certificate regeneration process (click the pencil icon, paste your shiny new CSR in, wait for the email, verify your request, wait, wait, get your new certificate).

Making it work with Firefox

Unfortunately as configured, your new certificate will break Firefox, which gives this sort of error. uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

The problem, we eventually worked out, is that you need not only Gandi’s intermediate cert, but the Root CA for SHA2 certificates from Usertrust in your certificate authority pem file.

Here’s a bash one liner to get them into a file called GandiStandardSSLCA2.pem. (wget --no-check-certificate -q -O - && wget -q -O - | openssl x509 -inform der -outform pem) > GandiStandardSSLCA2.pem

Now you should be able to add something like the following lines to your Apache config and your certificate should just work. In Firefox too. SSLCertificateFile /etc/ssl/certs/your.domain.crt SSLCertificateKeyFile /etc/ssl/certs/your.private.key SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem

Restart Apache and your new cert should work as expected across the usual browsers.

Updated To include no-check-certificate in the wget params, per Laurent’s suggestion in the comments


  • Be respectful. You may want to read the comment guidelines before posting.
  • You can use Markdown syntax to format your comments. You can only use level 5 and 6 headings.
  • You can add class="your language" to code blocks to help highlight.js highlight them correctly.

Privacy note: This form will forward your IP address, user agent and referrer to the Akismet, StopForumSpam and Botscout spam filtering services. I don’t log these details. Those services will. I do log everything you type into the form. Full privacy statement.