Certificate does not conform to algorithm constraints

551
3
Jump to solution
03-19-2019 11:25 AM
Highlighted
New Contributor III

Hello fellow mappers!

I'm having an issue with Portal/Server (10.5.1) federation validation when using certificates signed with the RSASSA-PSS (SHA1withRSAandMGF1) signature algorithm.

The certificates along with root and intermediate certificates installed fine, so no problems there.

The system operates within a Windows Domain so i'm assuming that it's an MS CA doing the signing.

The error i'm receiving when validating is the following:

Error: javax.net.ssl.SSLHanshakeException: java.security.cert.CertificateException: Certificate does not conform to algorithm constraints

I believe this is causing some other issues relating to CPU flooding from the javaw.exe process over time, causing the Portal server to become unresponsive as well as not being able to contact the ArcGIS DataStore due to the issues validating the hosting server.

From what I can tell the RSASSA-PSS cipher suite has been updated in JDK as part of TLS 1.3 rollout, though I can't seem to find reference in the JRE crypto roadmap.

So I've got two questions:

  1. Does anyone know when Java/Esri will support the above algorithm constraints?
  2. Is it possible for the CA to "simply" sign the CSR with a supported algorithm to establish normal operations?

Thanks!

Dean

Reply
0 Kudos
1 Solution

Accepted Solutions
Highlighted
New Contributor III

As an update in case anyone comes across a similar issue, certificates signed with PKCS #1 Version 2.1 will be shown as RSASSA-PSS.

A CA was configured with an SHA256 (rather than SHA1) hash algorithm and :

CNGEncryptionAlgorithm 3DES
CNGPublicKeyAlgorithm RSA 

Generating the CSR's in AGS and being signed by new CA worked a treat.

View solution in original post

Reply
0 Kudos
3 Replies
Highlighted
New Contributor III

As an update in case anyone comes across a similar issue, certificates signed with PKCS #1 Version 2.1 will be shown as RSASSA-PSS.

A CA was configured with an SHA256 (rather than SHA1) hash algorithm and :

CNGEncryptionAlgorithm 3DES
CNGPublicKeyAlgorithm RSA 

Generating the CSR's in AGS and being signed by new CA worked a treat.

View solution in original post

Reply
0 Kudos
Highlighted
Esteemed Contributor

You mention a TLS 1.3 rollout in your original post.  I thought ESRI software only recognized up to TLS 1.2 at this point in time.  Do you have any ESRI documentation that mentions TLS 1.3 that you can provide links to?

Reply
0 Kudos
Highlighted
New Contributor III

Hi Michael,

Yes that is correct, only supports TLS 1.2 at this stage.

There is no such Esri documentation as yet that I'm aware of.

My statement regarding TLS 1.3 was in relation to JRE / Java security roadmap / roll outs / bug fixes that I discovered in the Oracle Java Bug Database.

Thanks,


Dean

Reply
0 Kudos