So, the way X.509 works, certificates aren't signed by a particular other certificate, but by a named Issuer and private key. This particular Issuer, "Google Internet Authority G2" has both an older SHA-1 certificate (which expires when you said) and a newer SHA-256 certificate, with the same key that expires a year later. So, there are two things that might happen here, one is their fault, one is (maybe) yours
1. They could be sending the SHA-1 intermediate instead of the correct SHA-256 intermediate. This would affect everyone connecting to that particular server. Google has to fix this by correcting the intermediate certificate delivered during TLS handshake.
2. Your client (browser) could have cached the SHA-1 certificate from somewhere and be relying on it (because the name and key match) even though Google provided a SHA-256 certificate that's better.
If you can still reproduce the error, tools like openssl's s_client mode can dump all the certificates sent over, and don't have a cache of their own, so that's useful for diagnosis.
This certificate has been verified for the following usages:
SSL Server Certificate
Issued To
Common Name (CN) www.google.com
Organization (O) Google Inc
Organizational Unit (OU) <Not Part Of Certificate>
Serial Number 2C:B5:67:C4:00:95:F4:FF
Issued By
Common Name (CN) Google Internet Authority G2
Organization (O) Google Inc
Organizational Unit (OU) <Not Part Of Certificate>
Validity Period
Issued On 11/2/16
Expires On 1/25/17
Fingerprints
SHA-256 Fingerprint DB 4F 9A C6 02 74 B6 91 73 B9 BF 67 B3 64 37 20
3A 11 6A 4B 87 C2 7A A5 18 D6 71 A5 39 37 54 82
SHA-1 Fingerprint DD 3B 8A D7 5A DA C1 7A F7 DC 6C A4 40 08 C3 E0
14 2A 3E B3
4 comments
[ 81.1 ms ] story [ 180 ms ] thread-----BEGIN CERTIFICATE----- MIIEgDCCA2igAwIBAgIILLVnxACV9P8wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMTAzMDEzMzM1WhcNMTcwMTI2MDExMzAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHzMz8 G+xLkFuyF2yBjvm1uwY3LewkD/U5oBRrJAzZ8nVAGc5hwOHLAg2kDe2nW2AYpdpC FtgRTi4M+vNHlrJcPfbT0j+IpS0FSeqBlbi28LUQuv+S8MuaoGHsZQ+oHUIMm5/+ fXWfqpnJSCaFBBTg4ywHeO1qcj9865b1efD8E2Nhjmm58Z9EyNqJ3SpeWagAhk7k j66vV+63MILYMfMWNQUPEM9qytPkYuVxE2SCDAPAIl1rN7put8BO2gUAhRDUh7JP CzVH8k6WQp55f0VUuxlbpH0tjPHZS/vDDPb0nggDyqdqzIUQRCeS19m8q/mFh7Rq 0znNnlRktE4UD7OpAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBTOIMTSAYg4AHgT3U/MUkCw2dAjtzAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEASTQEiHIasdUPoCQx y+6LUjW1uW5tXFO3T5wtMYcECARrjo7jxQlfZ4pID3s1b+iNc+cL6OgTzPxfcC1r 450qeRwGW3gLtX5Hxi/bFvz/iIS+0EKAWy7cYLI+XIg9fBWNW3Q7I0xH4h3yRiFm yICwiJJULfAFXO6ySJX9Y64WvWWF6hTx2hB+oqu3UbZy2uKKhA4P0xjoK/xZCcGH BrlY0qXGWexiI0PGYhvcaQMLDLHvhmpk8tFDgjGUnrW8GrhR97oPaigA4LbdwY2O oysN7cwTsSvZP6Sfia2jqOeYn7d6q8PI1/KL9MIriwUNBANGyyWbUR7dQbeaQCTN qUJdPg== -----END CERTIFICATE-----
It's a SHA-256 certificate which expires in January, and it was signed by a SHA-1 intermediate that expires 12/31/16.
1. They could be sending the SHA-1 intermediate instead of the correct SHA-256 intermediate. This would affect everyone connecting to that particular server. Google has to fix this by correcting the intermediate certificate delivered during TLS handshake.
2. Your client (browser) could have cached the SHA-1 certificate from somewhere and be relying on it (because the name and key match) even though Google provided a SHA-256 certificate that's better.
If you can still reproduce the error, tools like openssl's s_client mode can dump all the certificates sent over, and don't have a cache of their own, so that's useful for diagnosis.