cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
495
Views
0
Helpful
6
Replies
Beginner

UCCX SSL Certificate Install error

java.security.cert.CertPathBuilderException: No such signature algorithm.

It appears that UCCX doesn't support RSASSA-PSS which Microsoft uses on the root and issuing ca. Are there any workarounds for this?

 

6 REPLIES 6
Explorer

Did you find a solution to

Did you find a solution to this?  I'm having the same problem on callmanager and presence 10.5

Beginner

Had to reconfigure our CA to

Had to reconfigure our CA to use SHA256 ciphers and reissue the certificates

Beginner

We're getting the same error

We're getting the same error message from a customer's UCCX v10.6

The customer originally gave us a RSASSA-PSS certificate and has offered to give us a ECDH_P256 certificate but I don't want to ask them to generate that as I don't know if it will work and can't find any documentation with a list of supported certificate types. Does anyone have a list, or even an example of one, certificate type that will work?

Explorer

We had to generate SHA256

We had to generate SHA256 certs,  not RSA-PSS I believe.  To do it with a internal MS server we had to create a new cert profile and eventually got it.

Beginner

Ben,

Ben,

Thanks for the rapid response.

This whole certificate business is still new to me and I'm struggling to find definitive documentation to explain the topic.

The cert we've been given was generated with RSASSA-PSS signature algorithm and sha256 hashing algorithm, see below.

The main problem I have is I don't know what exactly to ask the customer to provide us with in terms of the type of certificate. The customer has offered to provide a cert signed with ECDH_P256 algorithm but I don't think that will work as the release notes for CUCM v11 say that as of v11, EC-type certificates are supported, implying that in 10.x they are not. But I can't find documentation which says what types of cert are supported in 10.6.

Highlighted
Explorer

I think you need to create

I think you need to create/migrate the cert authority to allow SHA256RSA.

Check this out:  https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards