I guess it must be. Not only do they check the CSR signatures, as of a few years ago they required them to not be SHA-1. But that's just their system, I don't think ACME or the BRs/root programs require them to check it.
3 Likes