EasyRSA's pkitool has the use of sha1 to sign certs hardcoded all over the place.

From: Stephen Hocking <stephen.hocking_at_gmail.com>
Date: Sat, 14 May 2022 11:14:12 UTC
Hi all,

After coming across the recent issue that OpenVPN clients using new
versions of openssl wouldn't accept ca certs I'd generated a while ago,
complaining that the signature was signed with a suitably strong hash I
went hunting. Turns out the openssl.cnf entry of what the message digest is
supposed to be is over-ridden by the explicit  invocation of -sha1 on the
command line for a few of the commands.


  "I and the public know
  what all schoolchildren learn
  Those to whom evil is done
  Do evil in return"		W.H. Auden, "September 1, 1939"