SHA-2 Authenticode signing requires an RFC 3161 timestamp server. The timestamp.verisign.com URL does not work for this.
The RFC 3161 URL for Symantec/Verisign is:
http://sha256timestamp.ws.symantec.com/sha256/timestamp
If you are still using the older http://timestamp.geotrust.com/tsa URL, and it is failing (April 2017), you should update it to the above one. GeoTrust, like Verisign, is now part of Symantec.
Source:
https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO5820