Please provide a screenshot of your CA certificate (not the root certificate) as an evidence to verify that it uses SHA-2 encryption algorithm

It doesn't seem like a screenshot provides very meaningful proof of anything here. After all, the screenshot doesn't prove that your site is properly configured (since anyone could just send in a screenshot of the configuration of someone else's site!).

If the problem is just the SHA-1 self-signed DST root certificate, this is a misinterpretation of the PCI rules, as discussed in these two previous threads:

(As @cpu explained in the earlier thread, "Root certificates are exempt from the SHA1 sunsetting because, in effect, their signatures are not used in the process of making a trust decision [...]".)

If you have some other SHA-1 certificate in your chain, that's probably a misconfiguration of your server, which we can't diagnose without knowing your domain name.

2 Likes