is this confirmed to be different behavior than on the SRX series then? Because as I mentioned I had to specify SHA 256 in the CSR that I generated from an SRX not too long ago because ECA vendors are prohibited from issuing SHA-1 server certs after 1/1/16 - I only learned of that after I had submitted a CSR and they denied it because it was not created as SHA-256.
I believe that I would need to create a SHA-256 CSR on the SSG just as I did the SRX or else I will wind up in the same situation