Hi, sorry for late answer. Please note this community is not actively monitored by Intel employees.
SHA-2 leaf certificates (AMT Provisioning certificates) are supported by Intel AMT 6.0 or newer.
Intel AMT up to AMT 10 has only SHA-1 CA root certificate hashes embeded in default AMT FW - so you will have to use CA vendor cross signing certificate for CA's SHA-2 root cert issued by CA's SHA-1 "old" root.
all such certificates shall be installed on RCS server so SHA-2 leaf (AMT Provisioning certificate) trust chain will lead via cross sign cert to "old" SHA-1 root from AMT FW list.
and it works (checked it with other customers for AMT 8/9/10).
For some CAs they have different Roots for SHA 1 and for SHA 2 and new one may not be cross signed - you will have to check it with CA.
rgds
darek