Does anyone have a formal answer on how the SHA-1 sunset affects SHA-1 _client_ certificates? I'm fully on board with how the deprecation of SHA-1 server certificates is working, but client certificates seem to be a cloudy area....
The SHA1 sunset doesn't affect client certs.
Please refer here https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html :
"Note that even without the policy set, SHA-1 client certificates will still be presented to websites requesting client authentication."