We have recently been flagged up in our compulsory annual audit for using a certificate that chains back to a Root CA with a SHA1 certificate. The certificate itself is SHA256.
On further inspection, it seems that the certificates being issued to us have two certification paths. One that leads to a SHA256 Root CA (SHA1 Thumb:47BEABC922EAE80E78783462A79F45C254FDE68B) and the other that leads to a SHA1 Root CA (SHA1 Thumb: 2796bae63f1801e277261ba0d77770028f20eee4). This I believe is Cross Signing? Interestingly the SHA256 Root CA is an intermediary in the second SHA1 Root CA path.
All certificates auto-renew, so we re-key them with a new CSR prior to applying.
I have spoken to GoDaddy Support who stated: "My SSL admins have informed me that as of right now there is no way to remove or reissue the SSL cert without the sha1 fingerprint."
Can someone verify this is the case and explain why we cannot specify SHA256 only? Prehaps re-keying with the Starfield CA will fix this?