×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Microsoft CA RSASSA-PSS Algorithm Issue with ASA

Unanswered Question
May 2nd, 2014
User Badges:

      If you create a Microsoft Root Certificate Authority (CA) with Windows Server 2008 and create a CAPolicy.inf file, you have to remove the AlternateSignatureAlgorithm=1 for the certificate to work with the Cisco ASA 8.4(7).  If the AlternateSignatureAlgorithm=1 is in the CAPolicy.inf file, the root certificate will be created with the algorithm = RSASSA-PSS. If you remove this from the CAPolicy.inf file, the algorithm will be RSA SHA.

I ran into this issue in a Microsoft guide.  The notes does say that AlternateSignatureAlgorithm will not work with Windows XP client computers.  I have also seen that it will not work with Windows 2003 servers. 

When trying to add a CA to the ASA from ASDM, this is the error:

 

Error

 

Thanks,

Alex

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco_inplat-tech Thu, 06/04/2015 - 07:41
User Badges:

I am discovered the same issue :( Answer: add to registry on CA this file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%NameCA%\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008004
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
"AlternateSignatureAlgorithm"=dword:00000001
"MachineKeyset"=dword:00000001

and renew Root CA & IssuingCA certificates

Actions

This Discussion