Has anyone had a chance to look at making make-ssl-cert(8) use SHA-2? Given the (release and retire0 time lines of Debian 8, there could be the problem of Windows not accepting SHA-1 certs.