Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Microsoft CA RSASSA-PSS Algorithm Issue with ASA

      If you create a Microsoft Root Certificate Authority (CA) with Windows Server 2008 and create a CAPolicy.inf file, you have to remove the AlternateSignatureAlgorithm=1 for the certificate to work with the Cisco ASA 8.4(7).  If the AlternateSignatureAlgorithm=1 is in the CAPolicy.inf file, the root certificate will be created with the algorithm = RSASSA-PSS. If you remove this from the CAPolicy.inf file, the algorithm will be RSA SHA.

I ran into this issue in a Microsoft guide.  The notes does say that AlternateSignatureAlgorithm will not work with Windows XP client computers.  I have also seen that it will not work with Windows 2003 servers. 

When trying to add a CA to the ASA from ASDM, this is the error:

 

Error

 

Thanks,

Alex

2 REPLIES
New Member

I am discovered the same

I am discovered the same issue :( Answer: add to registry on CA this file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%NameCA%\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008004
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
"AlternateSignatureAlgorithm"=dword:00000001
"MachineKeyset"=dword:00000001

and renew Root CA & IssuingCA certificates

New Member

I've also suffered with this

I've also suffered with this :(

NDES – Fails to Issue Certificates (Signature Algorithm)

Pete

2073
Views
0
Helpful
2
Replies