SMA connectivity issues related to SHA1 deprecation
03/26/2020 9 11872
SHA1 certificates are being phased out in the industry. Most browsers treat SHA1 certificates as insecure as of 1 January 2016. After 1 January 2017 connectivity with SHA1 certificates may be blocked by browsers.
Some Certificate authorities are issuing SHA256 certificates that have SHA256 intermediate certificates but retain old SHA1 root certificates. While this is currently allowed  it can cause inconsistent failures and connection issues.
For most reliable connectivity CA certificates with a SHA1 root should be replaced with SHA256.
The SHA1 hashing algorithm is considered to be insecure and is deprecated by most authorities as of 1 January 2016.
Web browsers treat SHA1 certificates as untrusted.
Certificate chains that contain only SHA256 or SHA384 certificates are most reliable.
All the Certificate Authorities should have SHA256 root certificates available.
Requiring the CA to provide a fully SHA256 or better chain will ensure most reliable connectivity.