Generate SHA-256 CSRs by default, deprecate SHA-1 CSRs
Microsoft and Google are driving a migration to SHA-256 (aka SHA-2). Chrome will soon warn when it sees a SHA-1-signed certificates with expiry dates after 2015 as secure but with errors, and those which expire after 2016 as insecure. Already, SSL Labs has lowered their grade for such certificates.
cPanel should start to call openssl with the -sha256 argument in the Generate an SSL Certificate and Signing Request page, otherwise all its CSRs will be SHA-1, and requested certificates will be signed as SHA-1 (and hence, weak). This is separate from whether the key-size is 2048 or 4096 bytes.
Free certificate issuer StartSSL do not currently warn when SHA-1 CSRs are used, and don't let you generate a new certificate for the same subdomain without paying them. Users who use CSRs from the current version of cPanel may be stuck with a cert which will cause browser warnings if this isn't fixed.
I'd expect to see the option for a SHA-1 CSR, but SHA-2 should be the default and there should be big warnings around SHA-1 for users who don't know what they're doing.