We are failing a security scan using a Newly generated Godaddy Certificate that has the Godaddy Root CA with a SHA 1 signed certificate. These are for non-UCC Standard certificates. However, we have other certificates that are UCC and they also have this GoDaddy SHA1 root CA in the certificate chain. However, we also have non-UCC and UCC certs that only have the root as GoDaddy G2 CA in the chain.
I contacted support and they were less than helpful, and I hope they get replaced because this was actually an easy fix and it exposes a problem with-in GoDaddy's certificate signing policies. I was able to reproduce the issue and obtain a brand new signed certificate and it still had the GoDaddy SHA 1 CA certificate and not the G2 as the root. So the GoDaddy policy is still broken as of today.
Here is the fix and the root cause: GoDaddy has a Root CA that uses SHA 1 and they have the G2 as the Root CA. At some point GoDaddy specificed that newly issued certificates will only come from the G2 Root CA; however this is not always true. If you have a renewed certificate that is older than when GoDaddy made this policy change, if you don't specify to use the GoDaddy SHA-2 authority (and Click Save) when it is renewed then it will continue to be signed by the old GoDaddy SHA 1 Root CA. So the fix is to re-key your certificates and specifically choose either the GoDaddy SHA-2 option (and Click Save) or the Starfield SHA-2. Then it will apply the new issuance policy to a renewed certificate.