Tech Tip : CA Single Sign-On : AdminUI error on importing new certification for federation

Document created by Osarobo_Idehen Employee on Aug 18, 2017
Version 1Show Document
  • View in full screen mode

Issue:


We encountered below error on importing a new certificate via the AdminUI

 

2017-05-08 17:30:25,033 ERROR [com.ca.fedpki.api.remote.FedPkiKeyStore] (http-0.0.0.0-8080-10) **ERROR** java.security.cert.CertificateException commiting keystore change for alias citrix-enidrive-2017.

java.security.cert.CertificateException: com.rsa.certj.cert.CertificateException: Unknown or invalid signature algorithm

 

 

Is there a workaround to importing the type of certs with SHA256NoSign provided by the SP?

 


Environment:

 

AdminUI 12.52SP1CR02 on RedHat 6 64bit; Policy Server 12.52SP1CR02 on RedHat 6 64bit;

 


Cause:


The issue is related to the signature algorithm being used:

-> Signature Algorithm : sha256NoSign

-> Algorithm being used is not supported:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/encryption-and-decryption-algorithms

-> Sign Algorithms:

- MD5withRSA, SHA1withRSA, SHA256withRSA & SHA512withRSA

 

As you see, there's no mention of sha256NoSign

 


Resolution:


To solve the issue, you have to use a supported signature algorithm according to documentation :

 

Encryption and Decryption Algorithms

 



Additional Information:


https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/encryption-and-decryption-algorithms

 

 

KD : TEC1835597

Attachments

    Outcomes