Trying to understand why the VeriSign Class 3 Public Primary Certification Authority - G5 root certificate is being flagged with QID 38655. We have end entity certificates that are flagged with this QID that chain up to this root CA cert. The intermediary cert (Issuing CA cert) uses SHA2, but the root does use SHA1 signature algorithm. However, we have end entity certs that are issued from DigiCert that also chain to a SHA1 root that are also issued from a SHA2 intermediary. These DigiCert certs are NOT flagged with this QID.
When a Symantec cert is flagged we simply reissue the cert from DigiCert, and this resolves the vulnerability. I do not understand this since both certs (from Symantec and from DigiCert) chain to a SHA1 root and both use a SHA2 issuer.