imho, Public CA will no longer issue SHA-1 certificates; they are limited by the strict authority of the Certificate Authority / browser so that they no longer issue new server certificates with the SHA1 signature algorithm.
7.1.3. Algorithm Object Identifiers
Starting January 1, 2016, CAs MUST NOT issue new Subscriber certificates or subordinate CA certificates using the SHA-1 hash algorithm. CAs may continue to sign certificates to verify OCSP responses using SHA1 until January 1, 2017. This Section 7.1.3 does not apply to cross CA or CA certificates. Certificate Authorities can continue to use their existing SHA-1 root certificates. SHA-2 Subscriber Certificates MUST NOT connect to a CA-1 Subordinate CA Certificate.
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.7.pdf
source share