As of late 2014, SHA1 certificates and it's SHA1 trust chain (not including the Root CA) will be considered insecure by Google Chrome.
A three step process will increase the severity of the warning:
Initially SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle
Severity will increase thereafter, where: SHA1 certificates that expire between 2016/6/1 and 2016/12/31, inclusively, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle.
SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Neutral, no security" icon. This is the blank page icon, as shown by HTTP URLs.
Finally Chrome will render websites with SHA1 certificates that expire on/after 2017/1/1 and which contain SHA-1-based signatures in the validated chain, with the "Affirmatively insecure, major errors" icon. The "Affirmatively insecure, major errors" icon is a lock with a red X.
To resolve this issue SHA2 certificates must be installed.
What about the Cross Root Chaining? For example: Chain one : >> (1) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca1(N/A) or Chain two : >> (2) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha1)<- ca2-ca2(N/A) or Chain three: >> (3) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha256) <- ca2-ca2(N/A)
As per Ryan from Google:
"On all of our platforms, it will prefer (1) if ca1 is trusted. It would only go to (2) if ca1 is not trusted. On the platforms where this is the case, the peer supplying ca1-ca2(sha256) as part of the handshake ensures that (3) is preferred, if ca2 is trusted."
Blogs
SHA1 certificate shown as insecure or with mix content warning on Google Chrome 39
Sep 09 2014, 8:59 AM
by Robert Lin 1
As of late 2014, SHA1 certificates and it's SHA1 trust chain (not including the Root CA) will be considered insecure by Google Chrome.
A three step process will increase the severity of the warning:
SHA1 certificates that expire between 2016/6/1 and 2016/12/31, inclusively, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle.
SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Neutral, no security" icon. This is the blank page icon, as shown by HTTP URLs.
To resolve this issue SHA2 certificates must be installed.
Google: Gradually sunsetting SHA-1
What about the Cross Root Chaining? For example:
Chain one : >> (1) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca1(N/A)
or
Chain two : >> (2) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha1)<- ca2-ca2(N/A)
or
Chain three: >> (3) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha256) <- ca2-ca2(N/A)
As per Ryan from Google:
On the platforms where this is the case, the peer supplying ca1-ca2(sha256) as part of the handshake ensures that (3) is preferred, if ca2 is trusted."