Your math suggests that you can break a certificate with 2^61 hash operations, but this page says 2^61 operations will only give you a collision:

https://code.google.com/p/hashclash/

With the ability to generate collisions, it becomes easier to trick a CA into signing an evil certificate, but collisions don't help if you want to break someone else's certificate.