The Aug post above gave links to the SPR on SHA-2. However, it's now more critical as Chrome is planning to make our SSL v3 sites w/SHA-1 display with a security warning. This basically makes it like we run self-certs.
There has been a SPR on SHA-1 needing upgrade to SHA-2 for quite some time:
SPR # ABAI7SASE6 (APAR LO48388)
Now, Red Hat and the other vendors are advising to dump SSL v3 completely and run TLS 1.2 latest on their httpd service. With IHS being only Windows only, no good option for Linux Domino admins, especially if they run multiple domains w/ multiple SSL certs (IPs), the reverse proxy gets really complicated.
I followed the instructions for making the SHA-2 request using OpenSSL and then converting the keys via new GSKit (ikayman) and then using old ikeyman to convert to kyr (keyring files). It worked to give Domino SHA-2 support, but it still failed SHA-1 test at QualSys because evidently, the Domino server still can talk SHA-1 with a SHA-2 set of keys. If I look at the cert in Firefox the SHA-2 key does still have a SHA-1 hash it presents for both an Apache Server and a Domino server, except the Apache server forces only TSL via Apache certificate limitations, and Domino is still vulnerable because it still accepts the SHA-1. So for me the work-around didn't block SHA-1 which is my regulatory requirement. Only a proxy works, and that is complicated in 2 of my set-ups with multiple domains and multiple SSL IPs on the Domino servers.
Bypassing Domino keyring Cert database link of steps we used: http://mindwatering.com/SupportRef.nsf/webpg/310E670B524BEF3985257D7800824F84
Adapt these instructions using the Apache part, but using the certificate / keyring creation of the link above: http://mindwatering.com/SupportRef.nsf/webpg/A9B5147B1A1B7F2D85257D78006709C1