I have a rootca using SHA-1 algorithm. Is it possible to generate a subca or sign any csr with SHA-2. Migrating from SHA-1 to SHA-2 is not an option. I want to have cerificate with SHA-2 with its issuer using SHA-1.Is there any link to have more clear picture on the related topic.
This is possible - a different signature algorithm can be used for each certificate in a chain.
RFC 5280 section 6.1.4 - Preparation for Certificate i+1 describes the relevant part of the certification path validation algorithm. In particular, note:
(f) Assign the certificate subjectPublicKey algorithm to the
working_public_key_algorithm variable.
This indicates that each certificate may use a different type of public key, which stronly implies that each certificate may be certified using a different signature algorithm. Furthermore, there is no statement in RFC 5280 that signatures in a certificate path using the same public key type must use the same signature algorithm.