Article ID: 123904, created on Dec 12, 2014, last review on Sep 22, 2016

  • Applies to:
  • Plesk for Linux/Unix
  • Plesk for Windows


How to switch from SHA-1 to SHA-2 for Certificate Signing Request in Plesk 12.0? This is required as per PayPal vulnerability alert:

Or, because the following error is shown when trying to order certificate from CA with a Plesk CSR:

[CODE: 2038] [MESSAGE: After 12/31/2016, most browsers will not trust certificates that use SHA1. Use SHA2 instead.]
Cannot parse CSR.


Edit /usr/local/psa/admin/conf/openssl.cnf file (for Linux) or %plesk_dir%\admin\conf\openssl.cnf flie (for Windows) by adding default_md = sha256 line into [req] section, so the [req] section looks like:

[ req ]

default_md = sha256

List of known browsers, mobile devices, and servers supporting SHA-256 can be obtained from SHA-256 compatibility article.

Note that by default OpenSSL is using SHA1 in CSR certificate request

To check if the website is using SHA1 or SHA2 use the following command:

echo | openssl s_client -connect -servername | openssl x509 -text | grep 'Signature Algorithm'

The output for SHA1:

Signature Algorithm: sha1WithRSAEncryption

The output for SHA2:

Signature Algorithm: sha256WithRSAEncryption

Search Words

sha1 ssl

SHA256 csr


openssl sha256 csr


most browsers will not trust certificates that use SHA1

sha-256 sha256


Use SHA2 instead

sha2 csr

Unable to order SSL certificates now

steps on how to check whether the SHA2 enabled in the server




85a92ca67f2200d36506862eaa6ed6b8 56797cefb1efc9130f7c48a7d1db0f0c a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838

Email subscription for changes to this article
Save as PDF