Overview Users Self-signed Admins Cross-signed OpenSSL  Home
Subject Name (CN)  Fingerprint (SHA-1) 
DigiCert Global G2  DF3C24F9 BFD66676 1B268073 FE06D1CC 8D4F82A4
DigiCert Trusted G4  DDFB16CD 4931C973 A2037D3F C83A4D7D 775D05E4
Entrust G2  8CF427FD 790C3AD1 66068DE8 1E57EFBB 932272D4
GlobalSign R3  D69B5611 48F01C77 C54578C1 0926DF5B 856976AD
Go Daddy G2  47BEABC9 22EAE80E 78783462 A79F45C2 54FDE68B
ISRG (Let’s Encrypt CABD2A79 A1076A31 F21D2536 35CB039D 4329A5E8
(Sectigo) Comodo RSA  AFE5D244 A8D11942 30FF479F E2F897BB CD7A8CB4
(Sectigo) USERTrust RSA  2B8F1B57 330DBBA2 D07A6C51 F70EE90D DAB9AD8E
Starfield G2 (Amazon)  B51C067C EE2B0C3D F855AB2D 92F4FE39 D4E70F0E

If you need one of these trust anchors, your service administrator did a mistake actually, because all those roots are cross-signed to well established certificates. As of today, there is no known benefit to go for a SHA-2-only certificate chain. Certificate Authorities do not educate you on this fact. Why ever. Please, tell your administrator that he overdid it!

An exception to this rule is DigiCert Global G2 which exists to chain up via the historic anchor VeriSign G5. That is for devices which do not know Baltimore CyberTrust.
 SHA-1 Regional SHA-256 Regional ECDSA  Symantec @