CA API Gateway: The given key (algorithm=RSA) is not valid for SHA512withECDSA

Document ID : KB000111567
Last Modified Date : 17/08/2018
Show Technical Document Details
Issue:
When using the 'Encode JSON Web Token'  assertion and signing the JWT using the ECDSA algorithm you receive one of the following errors. This message will be present in the SSG logs.

The given key (algorithm=RSA) is not valid for SHA512withECDSA
The given key (algorithm=RSA) is not valid for SHA256withECDSA
The given key (algorithm=RSA) is not valid for SHA384withECDSA


 
Resolution:
The issue occurs when trying to use an RSA private key to sign the JWT. When selecting a private key installed on the Gateway you will need to confirm you are using the correct key type.

In policy manager:

1) Open the Manage Private Keys dialog (Tasks -> Certificates, Keys and Secrets -> Manage Private Keys)
2) Look for the private key you are selecting to sign the JWT. Specifically take note of the 'Key Type' field.

If the key type is RSA xxxx bits, it cannot be used with the ECDSA algorithm. You will need to create a new private key opting for one of the Elliptic Curve algorithms.