This is to ensure that signatures on CSRs and certificates use
SHA-256. I have not managed to find a version of OpenSSL that
does not use SHA-256 (I checked 1.0.1 and 1.1.0 and 1.1.1) so
this is effectively a no-op, but it might be useful for people
on Red-Hat-alike systems stuck on ante-diluvian versions.