There are several different paths that can be followed to generate a keyring file that contains SHA-2 certificates. Once you have that keyring file, you can use it with any Domino 9.0+ server. However, those servers will only be able to use SSLv3 with their SHA-2 keyring files unless you upgrade them to 9.0 IF6 or 9.0.1 FP2 IF1, which adds support for TLS 1.0.
Generating a keyring file using Certreq.nsf and the CA process
Upgrade your Domino server running the CA process
to 9.0 IF6 or 9.0.1 FP2 IF1, then follow the steps in the IBM Knowledge Center topic
Setting up SSL on a Domino server, choosing one of the SHA-2 algorithms while creating the Internet Certifier.
In order to perform the step of "Merge Trusted Roots", you will need to be accessing the certreq.nsf database from a Notes client
running 9.0.1 FP2 IF2. If you attempt this step from an older client, you will receive a "Certificate signature does not match contents" error.
The resulting keyring file will work on any 9.0+ Domino server.
(Tip: You can use the following technote, written for previous versions of Domino, to orient yourself to the steps. However, be aware that it is not updated for current versions of Domino. "Quick guide to securing a Domino server with SSL using the CA process" at http://www.ibm.com/support/docview.wss?uid=swg21193730)
Generating a keyring file using OpenSSL and kyrtool, self-signed certificate
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool?open
Generating a keyring file using OpenSSL, kyrtool, and a third party Certification Authority
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool?open
.
Notes 9.0.1 FP2 IF2:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Notes&release=9.0.1.2&platform=Windows&function=fixId&fixids=Notes_901FP2IF2_W32_Standard&includeSupersedes=0&source=fc