cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2241
Views
0
Helpful
6
Replies

Receive "java.security.cert.CertPathBuilderException: No such signature algorithm" when uploading certificates

wchatcher
Level 1
Level 1

We have a Microsoft Windows 2008 R2 Root CA server issuing certificates. When I try to upload the certificate that is issued I receive to tomcat on our CUCM 9.0 server I receive "java.security.cert.CertPathBuilderException: No such signature algorithm".  I can loaded up the certificate chain in the tomcat-trust with no issues.                  

6 Replies 6

liayan
Level 1
Level 1

I met the same issue, can you please let me know how you got it resolved? thx!

Liang

 


 

Hello,

Did you upload a certificate that was issued by a Subordinate CA or Root CA?

Try uploading one from a Subordinate CA.

Regards.

Had to reconfigure our CA to use SHA256 ciphers and reissue the certificates.

http://blogs.technet.com/b/pki/archive/2013/09/19/upgrade-certification-authority-to-sha256.aspx

hello, same issue.   did anyone resolve this?

i have load a root and subordinate cert with success.   But when uploading the signed cert, I get the "no such signature algorithm" error. 

Is there a difference with the MS CA version that may impact this?   Enterprise or not enterprise?  We are running CA v 6.3.   Customer recently enabled SHA256 and we have tried encoding with DER and base64 but no difference.

Thanks,

Eddie

Had to reconfigure our CA to use SHA256 ciphers and reissue the certificates. Just guessing that if you look at your cert it is currently RSASSA-PSS which is not supported.

supports Privacy Enhanced Mail (PEM) Base64 encoded format of X.509 certificate (only one PEM certificate in a file), Distinguished Encoding Rules (DER) format of X509 Certificate and DER format of PKCS#7 (Public-Key Cryptography Standards) Certificate Chain. The system does not support PEM format of PKCS#7 Certificate Chain.

http://blogs.technet.com/b/pki/archive/2013/09/19/upgrade-certification-authority-to-sha256.aspx

Eddie,

Please make sure that you are uploading the complete certificate chain i.e.,

1) Root certificate as tomcat-trust

2) Any intermediate certificate as tomcat-trust

3) Server certificate as tomcat

Apart from the above, most of the time this error occurs when the signed certificate does not match the format selected in the CSR. For example, if the CSR was generated using SHA1 as the signature algorithm and the CA signed them using SHA256, this would result in this issue.

So the key here is to make sure that the CSR which was generated using a X algorithm should be signed by CA as well using X algorithm only. Sometimes with different version of MS CA, the default signing algorithm is set to something else and customers overlook that and forget to change it while signing the certs and hence the certs are generated with a different algorithm altogether compared to what the CSR was generated with.

Regards

Deepak

- Rate Helpful Posts -