ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Chrome ERR_CERT_WEAK_SIGNATURE_ALGORITHM fix after Windows update

Software – Web Browsers Beginner 👁 1 views 📅 May 28, 2026

Windows update broke Chrome's certificate check. You'll see this on sites that use SHA-1 certs. Three fixes: quick toggle, moderate registry edit, or advanced group policy.

What's going on

You're browsing a site you trust — maybe your bank, your company's intranet, or a government portal — and Chrome throws ERR_CERT_WEAK_SIGNATURE_ALGORITHM. The site worked yesterday. Now it's broken. The culprit is a Windows update that tightened Chrome's handling of SHA-1 signed certificates. Those certificates aren't actually dangerous for internal or legacy systems, but Chrome now treats them like a security risk.

Here's the thing: SHA-1 is old. It's been deprecated for public web use since 2017. But lots of internal servers, older devices, and even some public sites still use SHA-1 certs. Microsoft pushed a patch in late 2024 that changed how Chrome's certificate store validates these signatures. If your IT team hasn't updated the cert, you're stuck.

Don't reinstall Chrome. Don't clear your cache. Start with the 30-second fix below.

Fix 1: Chrome flag toggle (30 seconds)

This is the quickest test. It changes a Chrome hidden setting that controls how strict the browser is about weak hashes.

  1. Open a new tab in Chrome.
  2. Type chrome://flags/#insecure-hashes-in-tls-handshakes into the address bar and press Enter.
  3. You'll see a flag called Insecure hashes in TLS handshakes. It's probably set to Default or Disabled.
  4. Click the dropdown and change it to Enabled.
  5. Click the blue Relaunch button at the bottom of the page.

After Chrome restarts, try loading the site that gave you the error. If it works, you're done. If it doesn't, move to Fix 2.

Why this works: The flag tells Chrome to accept SHA-1 signatures during the TLS handshake. It doesn't lower security for other sites — it just stops blocking the handshake because of the hash algorithm.

Fix 2: Registry edit for all users (5 minutes)

If the flag didn't stick (it sometimes resets after Chrome updates) or you need this to work for every profile on the machine, edit the Windows Registry.

Warning: Messing up the registry can break things. Follow these steps exactly.

  1. Press Windows key + R, type regedit, and press Enter. Click Yes if User Account Control asks.
  2. In the Registry Editor, navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
  3. If the Chrome folder doesn't exist, right-click the Google folder, choose New > Key, and name it Chrome.
  4. Right-click in the right pane (or right-click the Chrome key) and choose New > DWORD (32-bit) Value.
  5. Name it InsecureHashesInTLSHandshakesEnabled.
  6. Double-click that new value. Set the Value data to 1 and make sure Base is Hexadecimal. Click OK.
  7. Close Registry Editor.
  8. Open Chrome and type chrome://policy in the address bar. Press Enter.
  9. Click the blue Reload policies button.

After that, Chrome should see the policy and apply it immediately. Try the site again.

If the error persists, double-check the path. Common mistake: placing the DWORD under HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome instead of the Policies subkey. That won't work.

Fix 3: Group Policy for managed networks (15+ minutes)

If you're on a company or school computer, the registry change might get overwritten by Group Policy. You need to set the policy through the proper channel.

  1. Download the Chrome Group Policy templates from Google's Chrome Enterprise site. You'll want the Chrome Browser Cloud Management bundle or the standalone ADMX files.
  2. Extract the ZIP. Copy the chrome.admx file to C:\Windows\PolicyDefinitions. Copy the en-US\chrome.adml file to C:\Windows\PolicyDefinitions\en-US.
  3. Press Windows key + R, type gpedit.msc, and press Enter.
  4. Navigate to Computer Configuration > Administrative Templates > Google > Google Chrome.
  5. Scroll down to find Enable insecure hashes in TLS handshakes. Double-click it.
  6. Set it to Enabled. Click OK.
  7. Close Group Policy Editor.
  8. Open Chrome, go to chrome://policy, and click Reload policies.

If the policy doesn't show up, you might need to run gpupdate /force from an admin Command Prompt. After that, restart Chrome.

This fix is permanent until your IT team updates the server certificate or removes the policy.

What if none of these work?

You're probably dealing with a different issue. Check if the site's certificate is actually expired or revoked. Click the padlock icon in Chrome's address bar (or the Not Secure text) and look at the certificate details. If the certificate expired last month, no flag or policy will save you — you need the site admin to renew it.

Also, if you're using a VPN or proxy, try disabling it temporarily. Some corporate proxies re-sign certificates with SHA-1, and that's what triggers the error.

Last resort: use a different browser for that specific site. Firefox and Edge have a slightly different certificate handling policy and might let it through. Not ideal, but it keeps you working.

Was this solution helpful?

Chrome ERR_CERT_WEAK_SIGNATURE_ALGORITHM ERR_CERT_WEAK_SIGNATURE_ALGORITHM fix SHA-1 certificate error Chrome Windows update broke Chrome certificates Chrome certificate error after update disable SHA-1 warning Chrome Chrome insecure hash error fix weak signature algorithm Chrome Chrome registry fix certificate error group policy SHA-1 Chrome