问题
Is there any CA that still issues SHA-1 certificates? I need it for TR management to manage devices with base firmware that does not support sha256.
回答1:
imho, Public CA's will no longer issues SHA-1 certificates; they are bounded by the strict guidance of the Certificate Authority/Browser Forum to no longer issue new server certificates with SHA1 signature algorithm.
7.1.3. Algorithm Object Identifiers
Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA‐1 hash algorithm. CAs MAY continue to sign certificates to verify OCSP responses using SHA1 until 1 January 2017. This Section 7.1.3 does not apply to Root CA or CA cross certificates. CAs MAY continue to use their existing SHA‐1 Root Certificates. SHA‐2 Subscriber certificates SHOULD NOT chain up to a SHA‐1 Subordinate CA Certificate.
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.7.pdf
来源:https://stackoverflow.com/questions/35702419/which-root-ca-still-issues-sha-1-ssl-certificates