The latest versions of Chrome browser are throwing warnings when you connect to any website that uses SHA-1 as a signing algorithm in it's SSL certificate. That's a good thing, and most certificates won't have a problem as most CA's switched away from it a while ago.
However if you are using any self-signed keys, even if you've added your CA certificate into Chrome it will complain if you don't generate the keys correctly. If you click to see why Chrome is complaining about your SSL certificate, you'll see this:
There's an easy fix, but it requires generating new keys for your sites. Thankfully the CA can stay the same.
Simply add the following to your CSR request generation line to ensure that SHA256 is used as the signing algorithm:
With this added, your CSR generation line would look something like this:
openssl req -nodes -newkey rsa:2048 -keyout $HOSTNAME.key -out $HOSTNAME.csr -sha256
After generating the CSR then sign it like you always have with your CA and install the new .key and .crt files on the server.