Subject Name (CN)  Fingerprint (SHA-1)  DigiCert Global G2  DF3C24F9 BFD66676 1B268073 FE06D1CC 8D4F82A4 DigiCert Trusted G4  DDFB16CD 4931C973 A2037D3F C83A4D7D 775D05E4 Entrust G2  8CF427FD 790C3AD1 66068DE8 1E57EFBB 932272D4 GlobalSign R3  D69B5611 48F01C77 C54578C1 0926DF5B 856976AD Go Daddy G2  47BEABC9 22EAE80E 78783462 A79F45C2 54FDE68B ISRG (Let’s Encrypt)  CABD2A79 A1076A31 F21D2536 35CB039D 4329A5E8 (Sectigo) Comodo RSA  AFE5D244 A8D11942 30FF479F E2F897BB CD7A8CB4 (Sectigo) USERTrust RSA  2B8F1B57 330DBBA2 D07A6C51 F70EE90D DAB9AD8E SSL.com  B7AB3308 D1EA4477 BA148012 5A6FBDA9 36490CBB Starfield G2 (Amazon)  B51C067C EE2B0C3D F855AB2D 92F4FE39 D4E70F0E TrustCor 1 (used by No-IP)  FFBDCDE7 82C8435E 3C6F2686 5CCAA83A 455BC30A If you need one of these trust anchors, your service administrator did a mistake actually, because all those roots are cross-signed to well established certificates. As of today, there is no known benefit to go for a SHA-2-only certificate chain. Certificate Authorities do not educate you on this fact. Why ever. Please, tell your administrator that he overdid it! One exception to this rule is DigiCert Global G2 which exists to chain up via the historic anchor VeriSign G5. That is for devices which do not know Baltimore CyberTrust. Further exceptions are Let’s Encrypt (since 30th Sep. 2021), SSL.com (since 12th Sep. 2023) and TrustCor.