I have an internal CA that the CA Cert is sha1.

It is an internal Enterprise CA, used for personal purposes only 

What is the best practice to upgrade a CA Cert from Sha1 to Sha2?

Down grade the CA Server to a non CA Server and then make it CA Server with the CA Cert being a SHA2,
or would the following command do the sane?

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc && net start certsvc.

Sincerely
David

Command-line with CA certificate renewal will do the trick. Read more: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=134

thank you for your reply.

Sincerely
David

Hi, you cannot just down grade the CA to non CA server.

Reason: your old CA needs to publish CRLs for your certificate consumers.

or would the following command do the sane?certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Doing this will cause your CA to use SHA-2 for any NEW signing requests. This means that your CA cert is still using the old SHA-1. You may have to renew your CA certificate after your run the command in order to have your CA certificate using SHA-2

Be careful when running this command, as the CA will start using SHA-2 to sign any coming CRLs. If you have apps that consume your certificates and they do not support SHA-2, then it will be difficult for them to check the authenticity of the CRLs when they perform revocation setting.

I guess side by side migration is the best way to go here.

Check this white paper for full description of what options you have here.

http://ammarhasayen.com/2015/02/02/pki-certificate-services-sha-1-deprecation/