handle strong SHA-2 signatures in X.509 certificates