SHA-1 Certificate expiring for PB/EAS app

I have a former client that is having a HUGE production problem with EAS 6.3.1 crashing, so they backed out and went to their prior PB9/EAS 4.2.x . One of the main reasons for the upgrade was because EAS 4.x doesn't support SHA-2. Now the urgent issue is coming up with a workaround to not use the SHA-1 certificates. I've never seen any of this code, other than doing a simple upgrade of the server components and adding try/catch for every method. From what I am told there is a single process on the client that uses the SHA-1 to pass the userid/pw via iiops to the server for authentication. That is what must be replaced immediately. We've got about 2 weeks to code something so it can be tested and implemented in prod before the certificates expire in May. Hoping someone has had some experience with this and can make some suggestions. I also want to find out, since everything I've heard tells me that EAS 5.5 is much more reliable than 6.x, does 5.5 support SHA-2?

Kevin