As my story hopefully shows, the SHA-1 hash function is not the big problem. The way in which a Public Key Infrastructure is implemented and used is often a greater risk.