A certificate resigning policy is in place, but the browser shows a warning related to the  SHA-1 hash algorithm and certificate expiration in 2017 or later. The following is an example:

The re-signing intermediate CA certificate uses the SHA-1 hash algorithm and expires after January 1, 2017.

Many major browsers are phasing out SHA-1 support and issue a warning:

Google chrome:
https://googleonlinesecurity.blogspot.cz/2014/09/gradually-sunsetting-sha-1.html

Mozilla:
https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

 

Create a new resigning CA certificate that is signed with SHA-256 or SHA-384 or SHA-512 algorithm.

Workaround