Short answer
The signature algorithm is how the CA confirms the certificate's authenticity: a cryptographic hash of the certificate's contents, signed with the CA's private key. SHA-1 is broken — researchers produced real collisions — and browsers rejected SHA-1 certificates back in 2017. Today all public certificates must be signed with SHA-256 (or stronger). Check yours with openssl x509 -text and look for sha256WithRSAEncryption or ecdsa-with-SHA256.
What the signature algorithm actually does
A certificate consists of data (domain names, public key, validity period) plus a signature. The CA computes a hash of the data and encrypts it with its private key. Any client can recompute the hash and verify the signature with the CA's public key. If anyone changes even one character in the certificate, the hash changes and the signature no longer matches. All of the security therefore rests on it being impossible to find two different inputs with the same hash — a collision.
Why SHA-1 died
SHA-1 produces a 160-bit hash. Theoretical weaknesses were found as early as 2005, and in 2017 a practical collision ("SHAttered") demonstrated that two different documents could be produced with the same SHA-1 hash. For certificates a collision means an attacker could in principle have a legitimate certificate signed and reuse the signature on a forged one. Browsers therefore removed trust in SHA-1 certificates entirely. MD5, an even older hash, was broken even earlier and was used in a real-world attack against a CA.
| Hash | Output | Status |
|---|---|---|
| MD5 | 128-bit | Broken — never use |
| SHA-1 | 160-bit | Broken — retired 2017 |
| SHA-256 | 256-bit | Recommended standard |
| SHA-384/512 | 384/512-bit | Stronger, fully secure |
Check your certificate's signature algorithm
openssl x509 -in cert.pem -noout -text | grep -i "Signature Algorithm"
A healthy certificate shows sha256WithRSAEncryption (RSA key) or ecdsa-with-SHA256 (ECDSA key). If you see sha1WithRSAEncryption or md5WithRSAEncryption, the certificate must be replaced immediately. Straight from a server:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \ | openssl x509 -noout -text | grep -i "Signature Algorithm" | head -1
SHA-256 in the cipher suite name is something else
Beware a common confusion: the SHA256 at the end of a cipher suite name such as ECDHE-RSA-AES128-GCM-SHA256 refers to the hash used for key derivation in the TLS session itself — not to the certificate's signature algorithm. They are two different things that happen to use the same hash family. Read how the name is built in what is a cipher suite.
Where SHA-1 still shows up
Public CAs no longer issue SHA-1 certificates, but they still exist in two corners: internal CAs that were never updated, and old self-signed certificates on internal infrastructure. These pose a real risk, because an internal attacker can exploit the collision weakness — and they are rarely caught in a browser test, since internal systems are not visited by compliance scanners.
How CertControl catches outdated signatures
CertControl reads the signature algorithm on every certificate it finds — both public endpoints and internal ones discovered via the agent — and raises a high-severity finding on anything still using SHA-1 or MD5. So you see the weak certificates in one consolidated view rather than discovering them in an audit. Read more about a certificate's structure in what is a TLS certificate and how the chain fits together in the certificate chain explained.
Frequently asked questions
What is the difference between a hash and a signature?
A hash is a fixed-length fingerprint of data. A signature is the hash encrypted with a private key, so the recipient can confirm both integrity and sender. The signature algorithm describes which hash plus which key type is used.
Why is SHA-1 insecure if it cannot be reversed?
Security depends not only on the hash being irreversible, but on collision resistance — being unable to find two inputs with the same hash. SHA-1's collision resistance is broken, and that is enough to forge signatures.
So what does SHA256 in a cipher suite name mean?
There SHA256 refers to the hash used for key derivation in the TLS session, not the certificate's signature. It is a separate use of the same hash family.
Should I use SHA-384 or SHA-512 instead of SHA-256?
SHA-256 is fully secure and the standard for most certificates. SHA-384 is typically used with ECDSA P-384 or when a compliance requirement demands it. There is no practical security reason to avoid SHA-256 for ordinary use.
How do I know if I have old SHA-1 certificates?
Check the signature algorithm with openssl, or scan your whole fleet. The most dangerous ones often sit on internal systems and old self-signed certificates that public scanners do not reach.