NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: How to Fix It Fast on Chrome, Edge, Windows, Mac, Android, and HTTPS Sites

by

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM means the browser rejected the website certificate because it was signed with a cryptographic algorithm that is no longer considered secure. In practice, this usually points to legacy certificates that still rely on SHA-1 or similarly outdated signing methods that modern browsers distrust. :contentReference[oaicite:0]{index=0}

This is not a cosmetic warning. It is a certificate trust failure. Chrome phased out SHA-1 certificate support years ago, and modern browsers increasingly block weak signing and legacy TLS behavior instead of allowing users to ignore it. :contentReference[oaicite:1]{index=1}

Quick Fix

  • Check whether the error affects one website or many HTTPS websites.
  • Open the same site in another browser to confirm whether the issue is browser-specific.
  • If you own the site, replace the certificate with a modern SHA-256 certificate from a trusted CA.
  • Make sure the full certificate chain is installed correctly.
  • Check that no old intermediate certificate signed with SHA-1 is still being served.
  • Disable antivirus HTTPS scanning or proxy inspection temporarily and retest.
  • Check whether the device clock is correct.
  • Update the browser and operating system.
  • If the site is behind a proxy or CDN, verify the origin certificate chain too.
  • Do not try to “work around” the warning on a public site. Fix the certificate instead.

What Is NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM?

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM is a browser certificate error that appears when the certificate chain uses a signing algorithm the browser considers too weak for modern HTTPS. The most common historical example is SHA-1. Google documented Chrome’s removal of SHA-1 certificate support and noted that Chrome also later disabled TLS 1.0 and 1.1, which relied on SHA-1 throughout. :contentReference[oaicite:2]{index=2}

In simple terms, the browser is saying this:

  • the site is trying to prove its identity with outdated cryptography,
  • that cryptography is no longer trustworthy enough,
  • so the secure connection cannot be accepted.

You may see this error after:

  • opening an old website with a legacy certificate,
  • moving a site and accidentally keeping an outdated certificate chain,
  • serving an old intermediate certificate from the server,
  • using a proxy or antivirus product that injects weak certificates locally. :contentReference[oaicite:3]{index=3}

Why NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM Happens

Most real cases come from a short list of causes.

1. The Website Certificate Uses SHA-1 or Another Weak Signing Algorithm

This is the main cause. Chrome’s documented SHA-1 phaseout means public HTTPS certificates signed with SHA-1 are no longer acceptable in modern browsing. If the leaf certificate itself uses a weak signature algorithm, browsers can reject it outright. :contentReference[oaicite:4]{index=4}

2. An Intermediate Certificate in the Chain Is Weak or Outdated

The site certificate may look modern at first glance, but the chain can still fail if the server sends an old intermediate certificate signed with a weak algorithm. Browsers validate the trust chain, not only the top visible certificate. That is why replacing only the leaf certificate is sometimes not enough.

3. Antivirus or Proxy Software Is Rewriting Certificates

Google Chrome support community discussions around certificate errors note that antivirus software can rewrite certificates on the fly. If local security software injects a weak or badly trusted certificate, Chrome may report certificate errors even when the real website certificate is fine. :contentReference[oaicite:5]{index=5}

This is more likely if:

  • the site works on another device,
  • many secure sites fail on one machine only,
  • the problem started after a security software update.

4. The Browser or Operating System Is Outdated

Very old systems can create strange certificate behavior because they use outdated trust stores or cannot negotiate modern HTTPS correctly. At the same time, modern browsers on old systems may be especially strict about deprecated certificate chains. Firefox’s current download pages also show that support has been dropped for older Windows and macOS versions, which is a practical sign that outdated environments are a real compatibility risk. :contentReference[oaicite:6]{index=6}

5. The Site Is Serving a Mixed Legacy HTTPS Configuration

Some sites have partially upgraded HTTPS. For example:

  • the server serves a newer certificate but an old chain,
  • the CDN uses a modern edge certificate but the origin still has a legacy certificate,
  • the main hostname is fixed but a redirect target still uses weak cryptography.

In those cases, the site may appear to be “mostly updated” while one weak link still breaks certificate trust.

How to Fix NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM Step by Step

Start by finding out whether this is a site problem or a local machine problem.

1. Check Whether One Site Fails or Many Sites Fail

  • If only one site fails, the website’s certificate chain is the strongest suspect.
  • If many secure sites fail, local antivirus, proxy inspection, or system trust problems become much more likely.

This one check saves time.

2. Test the Site in Another Browser

Open the same URL in another major browser.

  • If the site fails everywhere, the certificate setup is probably genuinely broken.
  • If the site fails only in one browser, local browser state, injected certificates, or trust handling may be involved.

3. If You Own the Site, Replace the Certificate with a Modern One

This is the core fix for public websites. Use a trusted certificate authority and make sure the certificate is signed with a modern algorithm such as SHA-256, not SHA-1. Google’s documentation on SHA-1 deprecation makes clear that weak certificate signatures are no longer acceptable in Chrome. :contentReference[oaicite:7]{index=7}

4. Replace the Full Certificate Chain, Not Just the Leaf Certificate

Do not stop after renewing the visible certificate. Check whether the server is still sending:

  • an old intermediate certificate,
  • an incomplete chain,
  • a wrong chain file from a previous certificate installation.

This is one of the most common reasons a site still fails after “renewing the certificate.”

5. Check Antivirus HTTPS Scanning and Local Inspection

If the issue affects many trusted websites on one machine, disable HTTPS scanning or web protection temporarily and test again. Chrome support discussions explicitly mention antivirus certificate rewriting as a cause of certificate errors. :contentReference[oaicite:8]{index=8}

If the site works after that, the website may not be the real problem.

6. Check Whether a Proxy or Corporate Gateway Is Intercepting TLS

In managed networks, HTTPS inspection gateways may replace site certificates with locally generated ones. If those generated certificates use weak or badly trusted signing, the browser can fail with certificate errors. This is especially likely on office or school networks where only managed devices are affected.

7. Update the Browser and Operating System

Use a supported browser on a supported system. Firefox’s download pages currently show that Windows 8.1 and older, and macOS 10.14 and older, are no longer supported for standard Firefox releases. Outdated platforms increase the risk of broken TLS and certificate trust behavior. :contentReference[oaicite:9]{index=9}

8. Check Redirect Targets and Alternate Hostnames

Sometimes the main URL looks fine, but the browser is redirected to another hostname with an old certificate.

Check:

  • HTTP to HTTPS redirects,
  • www to non-www redirects,
  • old subdomains,
  • CDN or load balancer hostnames,
  • legacy login or admin endpoints.

9. Review Recent Certificate and Hosting Changes

This is often the shortest route to the cause.

Ask what changed before the error started:

  • certificate renewal,
  • hosting migration,
  • proxy or CDN setup,
  • load balancer changes,
  • security software installation,
  • server panel certificate import.

Most weak-signature certificate failures appear right after one of those changes.

Advanced Troubleshooting

Understand That This Is Usually a Trust-Chain Problem, Not a Browser Bug

Chrome’s SHA-1 deprecation made weak signature algorithms a deliberate browser trust failure, not a random rendering bug. If the browser reports a weak certificate signature, the safe assumption is that the chain is outdated until proven otherwise. :contentReference[oaicite:10]{index=10}

Distinguish Site-Wide Failure from Local Interception

This is the most important advanced distinction.

  • One website only usually means the website chain is weak or incomplete.
  • Many secure sites on one device usually means antivirus, proxy inspection, or local certificate injection.

Watch for Legacy TLS Around the Certificate Problem

Google’s SHA-1 deprecation notes also mention the broader removal of TLS 1.0 and TLS 1.1 in Chrome, both of which depended heavily on SHA-1. That matters because weak signature algorithm errors often appear on systems that also have generally outdated HTTPS stacks, not just one bad certificate. :contentReference[oaicite:11]{index=11}

Do Not Train Users to Ignore Certificate Errors

This error exists because the browser is protecting the user from weak cryptography. The correct fix is to replace the weak certificate or remove the interception problem. The wrong fix is teaching users to bypass or ignore certificate trust failures.

Prevention Tips

  • Use modern public certificates signed with SHA-256.
  • Replace the full certificate chain during renewals.
  • Audit CDN, proxy, and origin certificates together.
  • Remove legacy intermediates from server configs.
  • Keep browsers and operating systems supported and updated.
  • Be careful with antivirus HTTPS inspection on admin machines.
  • Test HTTPS after every migration or certificate change.

The best prevention is simple: keep the entire HTTPS chain modern, not just the visible certificate.

When to Contact Support

Contact your hosting provider or certificate provider if:

  • the error affects one website only,
  • the certificate was recently renewed or migrated,
  • you may be serving an old intermediate certificate,
  • you need help replacing the chain correctly.

Contact your IT or security admin if:

  • many secure sites fail on one managed machine,
  • proxy inspection or endpoint security may be intercepting HTTPS,
  • the issue appears only on a corporate network.

Focus on local troubleshooting if:

  • another device opens the site normally,
  • turning off antivirus HTTPS scanning changes the result,
  • the browser is outdated or unsupported.

FAQ

What does NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM mean?

It means the browser rejected the certificate because it was signed with a weak or deprecated cryptographic signature algorithm, most commonly a legacy SHA-1-based certificate chain. :contentReference[oaicite:12]{index=12}

How do I fix NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM fast?

If you own the site, replace the certificate and full chain with a modern SHA-256 certificate from a trusted CA. If many sites fail on one machine, disable antivirus HTTPS scanning and check for proxy interception first. :contentReference[oaicite:13]{index=13}

Can antivirus cause NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM?

Yes. Antivirus or security products can rewrite certificates locally, and Chrome support discussions explicitly note that antivirus can cause certificate errors by rewriting certificate behavior. :contentReference[oaicite:14]{index=14}

Why does the site work for some users but not for me?

If the site works elsewhere, your device may be using intercepted HTTPS, outdated software, or a local trust path that differs from other users. If the site fails for everyone, the website certificate chain is more likely the real cause.

Is SHA-1 still acceptable for public website certificates?

No for modern public web browsing. Chrome documented the removal of SHA-1 certificate support years ago, and modern browsers now treat SHA-1 certificate use as insecure legacy behavior. :contentReference[oaicite:15]{index=15}

Final Thoughts

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM is usually a sign that the website or the local HTTPS inspection layer is relying on outdated certificate cryptography. In most cases, the real fix is not in the browser. It is in the certificate chain, the proxy, or the security product rewriting that chain. :contentReference[oaicite:16]{index=16}

Start with the simple split first: one website or many. Then replace the certificate chain, remove weak intermediates, and check for antivirus or proxy interception. That order solves most weak-signature certificate errors much faster than random troubleshooting.

Leave a Comment