For the CSR, you only specify the key length and type (RSA, DSA or ECDSA). The hash algorithym is specified by the CA server that issues the signed certificate. There is no way to "force" SHA-2 on the firewall.
SHA-2 (SHA-256) is supported in 6.3r11 and above for SSL and 6.2 for VPN authentication.
https://www.juniper.net/techpubs/software/screenos/screenos6.2.0/rn-620r18-rev02.pdf page 12.