I have a wildcard domain certificate from StartSSL for a site (https://later.webblocks.nl/).
When I check it in any browser on my home PC, it's all good. (Green lock in Chrome.) When I check it in Chrome on my work PC, it's not good:
The page loads like no problem. There are no other requests, so nothing over HTTP. It uses safe protocols etc. I checked the connection on SSL Labs and Global Sign and they agree it's perfectly safe.
On the same computer, other browsers are fine with it. On other computers, Chrome is fine with it too. I tried restarting, flushing caches, incognito mode, etc. Nothing changes.
It's no real problem for me, because I know it's safe, but it's still annoying.
Any ideas?
PS. Chrome did something like this a while ago with Windows XP: suddenly websites were 'unsafe' because Windows protocols were unsafe. Both PC's are Windows 7 and the same version of Chrome, so that's probably not it...
More info:
For some reason the 2 computers have different certificate chains. The domain certificate and root certificate are the same, but the intermediary is different. On my home PC it uses sha2, on my work PC it uses sha1. The intermediary is included in the server cert (which has sha2), so that's weird. All the SSL checkers only detect the sha2 intermediary cert. What's going on!?
The reason is explained on StartCOM's forum:
https://forum.startcom.org/viewtopic.php?f=15&t=15929&p=21716
And on Chrome's:
https://code.google.com/p/chromium/issues/detail?id=473105
It is indeed SHA1.
It's due to Windows' or Chrome's certificate cache. Because they (old and new intermediary cert) have the same name, the client will use the cached variant, which might be old and SHA1. The naming is StartCOM's fault. The bad caching is Windows' or Chrome's fault. They're not working very hard to fix it.
SSL checkers don't have the same problem, because they don't use cached anything.
Different computers have different results, because the cache is local.
The (very specific, local) solution on the StartCom forum works for me: clear cert from local cache, to trigger redownload of new cert, but it's not really a solution for all other users. (In my case only a few, so no problem.)
I believe this might have to do with the deprecation of SHA-1. Early this year, Google made a change on its Chrome 41 browser.Accordingly, 'sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA1-based signature as part of the certificate chain, will be treated as “affirmatively insecure” '. Trusted root certificates using SHA1 are not affected. Clients trust them for identity purposes and not for the strength of their signature algorithm'. This was a direct quote from the above link.
I checked your certificate - it expires after 01/2017 and although the certificate for your domain was signed using SHA-2, the intermediate chain certificate for 'StartCom Class 2 Primary Intermediate Server CA' that you are using uses SHA-1 signature algorithm. The intermediate also expires after 01/2017.
Sorry, would have added as a comment but not enough rep. See here: https://security.stackexchange.com/questions/52834/what-exactly-does-it-mean-when-chrome-reports-a-certificate-does-not-have-publi