Some older certificates may have this info: Signature Algorithm: sha1WithRSAEncryption Newer versions of openssl 1.1 no longer support them, so if they're loaded into apache, it will fail to start. New internal default option: ssl_allow_signed_sha1=0 will do a check at update time to look for these certificates and report back if any are found. These certificates will not be allowed to be pasted in, nor imported via backup when ssl_allow_signed_sha1=0 is set. You can override the setting and allow them by typing: /usr/local/directadmin/directadmin set ssl_allow_signed_sha1 1 service directadmin restart and the update, paste/import will allow them. DirectAdmin will not currently take any action on these certificates. It will be your responsibility to clear them out. ========== RE-TEST To re-test to ensure you've rid yourself of them, run: cd /usr/local/directadmin echo "action=syscheck" > data/task.queue.cb; ./dataskq d14 --custombuild If you get output: Ssl::found_sha1_certificates: JSON with JSON below it, those will be your sha1 certifiates. You'll also get another Message System notice: Subject: A system issue requires your attention No JSON and no Message System notice would imply you're clear of sha1 certs.