CAs should not be issuing new SHA-1 certificates, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates.
If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expired expire before 2017.
=== Generic names for CAs ===