This is the million dollars question:) We are talking about Microsoft Certification Authority Servers here.
- The short answer is that this depends on the Cryptographic Provider that CA is using. And since each Windows version ships with specific set of providers, you may need to upgrade your CA to a newer version of Windows in order to support SHA-2.
- Even if you are using a cryptographic provider that supports SHA-2, you need to instruct the CA to use SHA-2 for future signing requests.
Check these posts to help you get more familiar about this topic:
- PKI Certificate Services SHA-1 Deprecation
- Cryptographic Providers: SHA-1 & SHA-2 support
- SHA-2 Support – Migrate your CA from CSP to KSP