With the latest news about SHA-1, generating collisions with defined prefixes (https://sha-mbles.github.io/ ), the authors indicate that there is an affectation in those X509 certificates under SHA-1 that use predictable Serial Numbers.
CA/Browser Forum Baseline Requirements in 7.1 say "CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG". Are we safe? Do the CA's rigorously enforce this? Your opinion Mr @sleevi_? Thanks!