Issue:
We encountered below error on importing a new certificate via the AdminUI
2017-05-08 17:30:25,033 ERROR [com.ca.fedpki.api.remote.FedPkiKeyStore] (http-0.0.0.0-8080-10) **ERROR** java.security.cert.CertificateException commiting keystore change for alias citrix-enidrive-2017.
java.security.cert.CertificateException: com.rsa.certj.cert.CertificateException: Unknown or invalid signature algorithm
Is there a workaround to importing the type of certs with SHA256NoSign provided by the SP?
Environment:
AdminUI 12.52SP1CR02 on RedHat 6 64bit; Policy Server 12.52SP1CR02 on RedHat 6 64bit;
Cause:
The issue is related to the signature algorithm being used:
-> Signature Algorithm : sha256NoSign
-> Algorithm being used is not supported:
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/encryption-and-decryption-algorithms
-> Sign Algorithms:
- MD5withRSA, SHA1withRSA, SHA256withRSA & SHA512withRSA
As you see, there's no mention of sha256NoSign
Resolution:
To solve the issue, you have to use a supported signature algorithm according to documentation :
Encryption and Decryption Algorithms
Additional Information:
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/encryption-and-decryption-algorithms
KD : TEC1835597