Prefer SHA256 Certificates

[david-maw]

As security has increased so we find SHA1 signed certificates deprecated, ideally the code should prefer a SHA256 signed certificate over SHA1 if one exists (just as CA certificates are preferred over self signed already). If it creates a self-signed cert, that ought to be SHA256 too, but that seems less important.