Assuming you can actually get the security command to operate on both certificates, given they have the same name (I'm not sure on that), you can export the certificate into PEM form using this:
/usr/bin/security find-certificate -a -c "Common Name" -p > /tmp/certname.pem
From there, you can use openssl to tell it to expect a PEM certificate to read in and examine the signature algorithm
/usr/bin/openssl x509 -noout -text -inform PEM -in /tmp/certname.pem | awk '/Signature Algorithm:/{print $NF; exit}'
The above should print something like sha256WithRSAEncryption or whatever it is.
The biggest problem I think you might face is, even after determining which cert is the old one, actually getting the security command to delete it successfully. My experience with it is that deleting a cert when there is more than one with the same name fails, at least when specifying it by the common name, which makes sense, since there are multiples with the same name. You might need to first capture the SHA-1 for each cert into a variable using something like
SHA-1=$(/usr/bin/security find-certificate -a -c "Common Name" -Z | awk '/SHA-1/{print $NF}')
Then use
/usr/bin/security delete-certificate -Z "$SHA-1"
Give the above steps a try. Of course, you'll need to somehow keep track of which cert is being exported for examination as it goes over each one in a loop perhaps and then try deleting the one with the older SHA-1.
Hope all the above helps a little. Good luck.
