Problem Statement:

How to change the signature algorithm on CA (Certification Authority) Server from RSASSA-PSS to RSA256SHA?

Cause:

You have legacy clients e.g. Windows XP, Window Server 2003 cannot validate the RSASSA-PSS signature and this behavior cannot be changed by installing any Service Packs as well. RSASSA-PSS signatures are supported on Vista and later operating systems only.

The RSASSA-PSS signature algorithm is NOT compatible with CISCO ACS and BES12 (https://quickview.cloudapps.cisco.com/quickview/bug/CSCug22137)

Resolution:

Modify the following registry value:

HKLM\system\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\CSP

Value Type: REG_DWORD

Value Name: AlternateSignatureAlgorithm

Value Data: 0x0

If you are using CAPolicy.inf file, make sure you remove AlternateSignatureAlgorithm from there as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>