Anyone with production SHA-1 signed certificates.
SHA-1 has been vulnerable for a few years now, recently it has also become inexpensive to exploit.
As of 1/1/2017 most major browsers will start rejecting SHA-1 signed certificates. Some are considering starting as soon as 6/2016
Also code signed by a SHA-1 cert will be rejected by Microsoft as of 1/1/2017 as well
Venafi can automate the replacement. Attached to this is a PDF walking through how to migrate from SHA-1 certificates.