VMware Cloud Community
kbogg
Contributor
Contributor
‎03-06-2023 07:14 AM

SHA512 Root CA Cert with RSASSA-PSS detected as week

Hi. 

I am trying to upload a CA certificate to the trusted root cert in the newest vCenter 8.

The CA cert. is the officielt danish national PKI root, which is a SHA512 Root CA Cert with RSASSA-PSS signature algorithm.

vCenter rejects the certificate with the following generic error:

Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors.Error, Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate

Since the certificate uses only modern strong algorithms I assume the opposite is the issue (it uses "too strong") algoritms?

Have anyone else had similar problems and raised an issue with VMware about it?

Kind regards

Kasper 

Reply
0 Kudos
2 Replies
Faulei
Contributor
Contributor
‎03-16-2023 04:05 AM

Hello,

we've just deployed a new Windows Server 2019 RootCA+SubCA and ran into same issues (weak signature algorithm), on the troubleshooting we also saw that the signature algorithm of our root-cert as RSASSA-PSS.

At the moment we're a looking for a solution.

Reply
0 Kudos
Faulei
Contributor
Contributor
‎03-16-2023 09:43 AM

Goddag Kasper,

i've oppened a support request and asked if there is any possibility vcenter could accept a RSASSA-PSS certificate, but i only got the answer that this isn't supported (like you can see on https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-DE49FBF5-E24A-462B-91DC-C4...)

We've now downgraded the root certificates of our AD to SHA384, but I see, this solution isn't helpful in your case.

Greetings from bavaria!

Reply
0 Kudos