I recently setup my own CA, and imported the CA cert into devices across the company. I then deployed certificates to our various servers, etc.. All using SHA-1 signatures (the default in the tool I was using: XCA).
Today I discovered the SHA-1 warning in chrome when browsing any of our servers. Oops. Can I just issue SHA-2 certs to our servers and chrome will be happy? Or will any cert in the chain (including the root CA) using SHA-1 cause the warning to appear?
If so, I assume I have to create a new root certificate and distribute that too?
The next question is what's the the best signature algorithm to use? Should I go right up to SHA-512 to avoid encountering a similar problem in the next year? or use SHA-256 for compatibility? (I don't know if some browsers have trouble with the larger hash values).