One reason for writing this article is, that in my current position I was assigned to work for a major project to replace SHA-1 certificates. This became topical when the Center for Mathematics and Informatics (Amsterdam) together with Google, on 23 February 2017 after 2 years of computing, published the first SHA-1 "collision" - see section “XII. SHA-1” for what this means.
However, in any project I get to deal with security of communication between systems. I find that misconceptions about how the techniques need to be used are widespread. Below I explain some pitfalls that I have encountered in practice, and how to avoid them.