Although the digest function used for self-signed roots is immaterial, and there are still a lot of SHA-1 based self-signed roots in the WebPKI (and recognised in OS/distributions) - for some reason RH9 derived systms fail to recognise SHA-1 certs as distributed by the IGTF.
Discssion on reasons, mitigations, re-issuancance, and trnasition.
Participation by all (esp. relying parties with...
See the IGTF position statement on server BR changes and domainComponent.
and in addition to the server SSL BRs, there is also a potentially disruptive change for client certs: https://github.com/cabforum/smime/blob/preSBR/SBR.md
There is a "legacy"-Profile, where things like DC= (or info=) might be acceptable, but in the profiles "strict" and "multipurpose" these things will not be...