We had perfectly running MS signed shim boot loader and Secure Boot worked fine.
But then our Certificate Expired. We need to create new shim boot loader and pass shim-review and MS signing process.

In our Dockerfile I replaced reference to old expired certificate to reference to new Certificate.
Shim 15.7 is built properly from Docker. It is a simple build with command like this:

make VENDOR_CERT_FILE=my-corp.cer

Then I emulate MS signing for this shimx64.efi and sign new grub and kernel using new certificate.
I had written into PC EFI BIOS corresponding emulation databases for PSK, KEK, PK.
I did that many times in the past with our older Certificate embedded into shim.

But now Secure Boot fails with Error "Veriication failed (0x1A) Security Violation"

Question: what are requirements for Certificate? Are any limitations on used crypt algorithms exist?
I am trying to check what is grub signed difference.
I see that with new Certificate signed grub has record "Digest Encryption Algorithm ECC" (left image)
But grub signed with older Certificate has record "Digest Encryption Algorithm RSA" (right image):

Can it be issue or not?

Second question is how to debug shim? Can I receive debug messages via serial port or somehow else? Please advise how to configure any debug process!

Regarding the debug mode, you can compile shim in verbose mode globals.c:34:UINT32 verbose = 1;

I managed to create a test environment using edk2/ovmf in QEMU link but as far as I know, it does not have built-in support for ECC.

Yeah, I wouldn't expect ECC to be well tested since MS still ships RSA keys in system firmwares and there aren't any government requirements (that I know of...) for anything but RSA yet.