So we moved suppliers for SSL certificates after our last one stopped doing SHA-1. We settled on https://www.startssl.com as they were recommended and seem to have a good approach.
Unfortunately they will not accept CSR requests using an MD5 checksum as it is not secure enough – what is the only option in Domino ? Apparently a number of better known SSL suppliers have adopted the same policy.
There are workarounds using ikeyman if you have an XP machine to run it on.
Not going to say any more 🙁