We just ordered a new cert from an external trusted authority and were presented with a choice. We could get a SHA256 cert issued from a chain where the root CA certificate was SHA1 or one from a SHA256 root CA. The text under the SHA1 root option said that we should choose this for greater compatibility.
Well we went for the SHA256 root because who wants a legacy root CA a?
Just to let you know what the incompatibility might be, because at the time we could not think of why we might have issues.
The problem is that the SHA256 root CA is relatively new. Not everyone will trust the Root CA as the trusted root stores are not always automatically updated.
Not really compatibility then just some people are not actively updating the trusted root CA stores.
FYI there are a number of ways of doing this here’s a links on it you might find useful.
We went for just delivering the one cert by GPO rather than updating the trusted roots as we needed to do it quickly to support this new cert and we plan to test the best route for keeping them up to date going forward. Our workstations are fine as they have an internet connection but most servers are blocked for obvious reasons.