But what about thumbprint algorithm, is it okay that it is SHA1?
No worries there, this really is not a security hole, as thumbprint is used to identify certificates more easily. For example, you have a web server and have to add a certificate to ensure HTTPS encryption. Web server offers to choose certificates from local store, but there are few certificates with equal subject name. And this is where you use certificate thumbprint - to choose correct certificate.
Also, to my knowledge, there is no way to change thumbprint algorithm.