Original Poster
Vivek Rajagopalan

Chrome 57 blocking all Google sites due to SHA1 policy

Hello support,

Chrome 57 - preventing all Google sites from opening due to sha1 certificate issue.

On my machine running Chrome 57,  Linux Ubuntu 14.04 64bits when I open any Google site  - the cert chain used is the following.  Detected using a packet analytics tool.

/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
  C=US, O=Google Inc, CN=Google Internet Authority G2
/C=US/O=Google Inc/CN=Google Internet Authority G2
  C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  C=US, O=Equifax, OU=Equifax Secure Certificate Authority

You can see that the last cert in the chain Issued by Equifax to GeoTrust uses sha1, I suppose that is the reason for the block.

on a colleagues machine GeoTrust is treated as the root and not Equifax and hence he is able to go online.

I also tried the following.

1. Tried setting EnableSha1ForLocalAnchors = true and restarting the Chrome processes and machine but no luck.

2. Tried importing the GeoTrust as the root CA ; failed because it already exists.

Any ideas how I can resolve this.


Vivek Rajagopal

Community content may not be verified or up-to-date. Learn more.
All Replies (3)
Hi Vivek,

Following are some issues for you to review:
  1. The *.google.com certificate is rooted by GeoTrust Global CA.  If you show otherwise, perhaps you have some bad certs cached?  Try clear all your cert caches.
  2. If visiting secure HTTPS websites on Linux Chrome produces error ERR_CERT_WEAK_SIGNATURE_ALGORITHM, please check if the fix that works on Debian also solves the problem for you:  https://productforums.google.com/d/msg/chrome/oG8tEdIfYuA/aH1s9STYBgAJ
    # apt-get install libnss3-1d

Original Poster
Vivek Rajagopalan

In Chrome57 if Google sites arent working any more due to SHA1 signing block

1.  Open Settings -> Advanced  -> HTTS/SSL -> Manage Certificates
2, Go to Authorities Tab 
3. Scroll down the list and find "Equifax Secure CA" - then press "Edit.."
4. Uncheck all the boxes (Basically Dont Trust this CA )
5. Close everything 

Now it works !

Original Poster
Vivek Rajagopalan
Thanks for the help. 

I tried those things. Untrusting Equifax did the trick for me. See my update.

Thanks again
Were these replies helpful?
How can we improve them?
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.


Some community members might have badges that indicate their identity or level of participation in a community.

Expert - Google Employee — Googler guides and community managers
Expert - Community Specialist — Google partners who share their expertise
Expert - Gold — Trusted members who are knowledgeable and active contributors
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.


Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.