If a customer is trying to replace the self-signed certificates with certificates signed by a CA (Certificate Authority), and they examine the CSR (Certificate Signing Request) they may be concerned that it shows: Signature Algorithm: sha1WithRSAEncryption and not a higher level of security, such as SHA-2 SHA-256 sha256WithRSAEncryption (different names for the same thing).
This is caused by the JDK 1.6 keytool utility, that is installed by default with versions of IMG through 6.9.1 . This version of keytool makes a keypair and CSR with a sha1WithRSAEncryption signature , even if you specify (not in the docs): -sigalg SHA256withRSA
This is only related to to the hash strength for checksum validation or tamper evidence of the CSR itself, until it is signed. It will have no effect on which signature algorithm the CA chooses to sign the certificate itself, and typically a CA will choose a stronger algorithm. Once the certificate has been generated and signed with a stronger algorithm, the weaker algorithm used by the CSR is no longer relevant.
Note: The next version of IMG will use JDK 1.7, which has an updated keytool utility.