AnsweredAssumed Answered

Certificate does not conform to algorithm constraints

Question asked by ecl_moiler_d on Mar 19, 2019

Hello fellow mappers!

 

I'm having an issue with Portal/Server (10.5.1) federation validation when using certificates signed with the RSASSA-PSS (SHA1withRSAandMGF1) signature algorithm.

 

The certificates along with root and intermediate certificates installed fine, so no problems there.

 

The system operates within a Windows Domain so i'm assuming that it's an MS CA doing the signing.

 

The error i'm receiving when validating is the following:

 

Error: javax.net.ssl.SSLHanshakeException: java.security.cert.CertificateException: Certificate does not conform to algorithm constraints

 

I believe this is causing some other issues relating to CPU flooding from the javaw.exe process over time, causing the Portal server to become unresponsive as well as not being able to contact the ArcGIS DataStore due to the issues validating the hosting server.

 

From what I can tell the RSASSA-PSS cipher suite has been updated in JDK as part of TLS 1.3 rollout, though I can't seem to find reference in the JRE crypto roadmap.

 

So I've got two questions:

 

  1. Does anyone know when Java/Esri will support the above algorithm constraints?
  2. Is it possible for the CA to "simply" sign the CSR with a supported algorithm to establish normal operations?

 

Thanks!

 

Dean

Outcomes