Major browsers have started removing support for SHA-1 certificates, as is the case with the latest Google Chrome 56, Mozilla Firefox 51, and Internet Explorer 11 versions. As a result, you might experience behavior changes with affected browsers, as follows:
Upgrade the root CA to SHA256:
Note: Creating a CSR in SHA256 in the Edge SWG (ProxySG) appliance is NOT required for the Root CA server to sign the intermediate certificate with SHA256. This means you can create the CSR in SHA1, and when signed by the Root CA, it applies SHA256 to the intermediate certificate. See KB article Create a Certificate Signing Request (CSR) with an SHA-2 cryptographic hash function on the ProxySG for details.