https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352858#M13610 <HTML><HEAD></HEAD><BODY><P>Hi Michael,</P><P></P><P>Yes that is correct, only supports TLS 1.2 at this stage.</P><P></P><P>There is no such Esri documentation as yet that I'm aware of.</P><P></P><P>My statement regarding TLS 1.3 was in relation to JRE / Java security roadmap / roll outs / bug fixes that I discovered in the <A href="https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8202625">Oracle Java Bug Database</A>.</P><P></P><P>Thanks,</P><P><BR />Dean</P></BODY></HTML> Thu, 09 Jan 2020 13:52:14 GMT DeanMoiler 2020-01-09T13:52:14Z https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352855#M13607 <HTML><HEAD></HEAD><BODY><P>Hello fellow mappers!</P><P></P><P>I'm having an issue with Portal/Server (10.5.1) federation validation when using certificates signed with the <SPAN style="color: #ff0000;"><STRONG>RSASSA-PSS</STRONG></SPAN>&nbsp;(<STRONG>SHA1withRSAandMGF1</STRONG>) signature algorithm.</P><P></P><P>The certificates along with root and intermediate certificates installed fine, so no problems there.</P><P></P><P>The system operates within a Windows Domain&nbsp;so i'm assuming that it's an MS CA doing the signing.</P><P></P><P>The error i'm receiving when validating is the following:</P><P></P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>Error: javax.net.ssl.SSLHanshakeException: java.security.cert.CertificateException: Certificate does not conform to algorithm constraints</P></BLOCKQUOTE><P></P><P>I believe this is causing some other issues relating to CPU flooding from the javaw.exe process over time, causing the Portal server to become unresponsive as well as not being able to contact the ArcGIS DataStore due to the issues validating the hosting server.</P><P></P><P>From what I can tell the <SPAN style="color: #ff0000;"><STRONG>RSASSA-PSS</STRONG></SPAN> cipher suite&nbsp;has been <A href="https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8146293">updated in JDK</A>&nbsp;as part of <A href="http://openjdk.java.net/jeps/332">TLS 1.3 rollout</A>, though I can't seem to find reference in the <A href="https://java.com/en/jre-jdk-cryptoroadmap.html">JRE crypto roadmap</A>.</P><P></P><P>So&nbsp;I've got two questions:</P><P></P><OL><LI>Does anyone know when Java/Esri will support the above algorithm constraints?</LI><LI>Is it possible for the CA to "simply" sign the CSR with a <A href="http://enterprise.arcgis.com/en/portal/10.5/administer/windows/restrict-portal-for-arcgis-ssl-protocols-and-cipher-suites.htm#ESRI_SECTION1_AF37E915749E412EA1099CDA660A0281">supported algorithm</A>&nbsp;to establish normal operations?</LI></OL><P></P><P>Thanks!</P><P></P><P>Dean</P></BODY></HTML> Tue, 19 Mar 2019 18:25:54 GMT https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352855#M13607 DeanMoiler 2019-03-19T18:25:54Z https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352856#M13608 <HTML><HEAD></HEAD><BODY><P>As an update in case anyone comes across a similar issue, certificates signed with <A href="https://www.pkisolutions.com/pkcs1v2-1rsassa-pss/">PKCS #1 Version 2.1</A> will be&nbsp;shown as&nbsp;<STRONG style="color: #ff0000; background-color: #ffffff; border: 0px; font-weight: bold;">RSASSA-PSS.</STRONG></P><P></P><P>A CA was configured with an SHA256 (rather than SHA1)&nbsp;hash algorithm and :</P><P></P><P style="padding-left: 30px;"><SPAN style="font-size: 8.5pt; color: black;">CNGEncryptionAlgorithm 3DES<BR /> CNGPublicKeyAlgorithm RSA&nbsp;</SPAN></P><P></P><P>Generating the CSR's in AGS and being signed by new CA worked a treat.</P></BODY></HTML> Tue, 08 Oct 2019 15:14:52 GMT https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352856#M13608 DeanMoiler 2019-10-08T15:14:52Z https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352857#M13609 <HTML><HEAD></HEAD><BODY><P>You mention a TLS 1.3 rollout in your original post.&nbsp; I thought ESRI software only recognized up to TLS 1.2 at this point in time.&nbsp; Do you have any ESRI documentation that mentions TLS 1.3 that you can provide links to?</P></BODY></HTML> Tue, 08 Oct 2019 15:28:45 GMT https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352857#M13609 MichaelVolz 2019-10-08T15:28:45Z https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352858#M13610 <HTML><HEAD></HEAD><BODY><P>Hi Michael,</P><P></P><P>Yes that is correct, only supports TLS 1.2 at this stage.</P><P></P><P>There is no such Esri documentation as yet that I'm aware of.</P><P></P><P>My statement regarding TLS 1.3 was in relation to JRE / Java security roadmap / roll outs / bug fixes that I discovered in the <A href="https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8202625">Oracle Java Bug Database</A>.</P><P></P><P>Thanks,</P><P><BR />Dean</P></BODY></HTML> Thu, 09 Jan 2020 13:52:14 GMT https://community.esri.com/t5/arcgis-enterprise-questions/certificate-does-not-conform-to-algorithm/m-p/352858#M13610 DeanMoiler 2020-01-09T13:52:14Z