CC3220SF: Wrong type of code signing certificate?

Part Number:CC3220SF

So I'm trying to plug an actual code signing certificate into my CC3220MODASF project.  I purchased one (issued by Sectigo, formerly Comodo), and also (ostensibly, see below) acquired a "legacy" SHA-1 certificate from the same provider.  I did this because of this admonition in SWPU332, section 1.5.1 "Code Signing Certificate" (emphasis added):

IMPORTANT: The production line programming (such as through Uniflash) works with the
device boot (ROM) code that only supports the following signature types: PKCS#1, RSA 256
or 128 bytes, SHA_1 (the signature length is 256 or 128 bytes). Code signing certificates that
use SHA-384 or SHA-512 (or other unsupported method) for the signature algorithm will
cause the chain verification to fail with an "FS_SECURITY_ALERT_CERT_CHAIN_ERROR"
alert. The newer SHA methods are supported by service packs, so such certificates can be
used during OTA but not during the production line. This limitation is relevant for the user
and intermediate certificates (the signature algorithm of the root CA certificate does not
impact the chain verification, so any method will work).

So I received the (purported) SHA-1 certificate, exported it into the right format, created a build in UniFlash, and attempted to program the unit.  However, I got "FS_SECURITY_ALERT_CERT_CHAIN_ERROR".  Hmm.  So I further examined the certificate; this is what Windows says about it:

I'm not a crypto expert, but if TI says that the only supported "signature types" are SHA-1, and Windows says the "signature algorithm" is "SHA256RSA", then I take that to mean that the certificate signature is SHA-2 (SHA-256), not SHA-1.

Do I have the wrong certificate type for signing my application?  Do I need to make sure that the intermediate CA's certificate also is not SHA256, as per the documentation?

And as an aside... where are people purchasing their certificates from?  Or do I just need to say "screw it" and implement my own vendor catalog instead of relying on the TI catalog of root of trust, so I can then make my own certificates?