In this technote from IBM you can find the following answers:
Q1: Can I import the SHA-2 cert on a Domino 9.x server and then use that keyring on a Domino 8.5.x server? No. Domino 8.5.x lacks the cryptographic infrastructure for SHA-2. This means if you import the cert using 9.x and the Interim Fix and and KYRTool described above, you can use that keyring on a Domino 9.0 or above server, but not on a Domino server pre-Domino 9.0.
Q2: Can I get a hotfix on 8.5.x or earlier to support SHA-2? No. This is not possible since releases prior to Domino 9.0 lack the cryptographic infrastructure for SHA-2.
Is an update to Domino 9.x
the only way the handle this issue? If so, how long it's time, before the relevant web browsers (ie, firefox and chrome) will cancel the support for SHA-1?