Problem Statement:

How to change the signature algorithm on CA (Certification Authority) Server from RSASSA-PSS to RSA256SHA?


You have legacy clients e.g. Windows XP, Window Server 2003 cannot validate the RSASSA-PSS signature and this behavior cannot be changed by installing any Service Packs as well. RSASSA-PSS signatures are supported on Vista and later operating systems only.

The RSASSA-PSS signature algorithm is NOT compatible with CISCO ACS and BES12 (


Modify the following registry value:

HKLM\system\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\CSP

Value Type: REG_DWORD

Value Name: AlternateSignatureAlgorithm

Value Data: 0x0

If you are using CAPolicy.inf file, make sure you remove AlternateSignatureAlgorithm from there as well.

Leave a Reply

Your email address will not be published. Required fields are marked *