AdminUI error on importing new certification for federation

Document ID : KB000007560
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We encountered below error on importing a new certificate via the AdminUI

 

2017-05-08 17:30:25,033 ERROR [com.ca.fedpki.api.remote.FedPkiKeyStore] (http-0.0.0.0-8080-10) **ERROR** java.security.cert.CertificateException commiting keystore change for alias citrix-enidrive-2017.

java.security.cert.CertificateException: com.rsa.certj.cert.CertificateException: Unknown or invalid signature algorithm

 

 

Is there a workaround to importing the type of certs with SHA256NoSign provided by the SP?

Environment:
AdminUI 12.52SP1CR02 on RedHat 6 64bit; Policy Server 12.52SP1CR02 on RedHat 6 64bit;
Cause:

The issue is related to the signature algorithm being used:

-> Signature Algorithm : sha256NoSign

-> Algorithm being used is not supported:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/encryption-and-decryption-algorithms

-> Sign Algorithms:

- MD5withRSA, SHA1withRSA, SHA256withRSA & SHA512withRSA

 

As you see, there's no mention of sha256NoSign

Resolution:

To solve the issue, you have to use a supported signature algorithm according to documentation :

 

Encryption and Decryption Algorithms

 

 

Additional Information:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/encryption-and-decryption-algorithms