How to change the signature algorithm on CA (Certification Authority) Server from RSASSA-PSS to RSA256SHA?
You have legacy clients e.g. Windows XP, Window Server 2003 cannot validate the RSASSA-PSS signature and this behavior cannot be changed by installing any Service Packs as well. RSASSA-PSS signatures are supported on Vista and later operating systems only.
The RSASSA-PSS signature algorithm is NOT compatible with CISCO ACS and BES12 (https://quickview.cloudapps.cisco.com/quickview/bug/CSCug22137)
Modify the following registry value:
Value Type: REG_DWORD
Value Name: AlternateSignatureAlgorithm
Value Data: 0x0
If you are using CAPolicy.inf file, make sure you remove AlternateSignatureAlgorithm from there as well.