Microsoft Certificate Authority Provider Compatibilty
Solution 1:
The problem is that you put AlternateSignatureAlgorithm = 1
in the CA's CAPolicy.inf files. This entry enables alternate PKCS#1 v2.1 signature format. This format is supported by Windows CryptoAPI clients, however most legacy and 3rd party clients may not support this.
What you can do here? Look at each CA certificate and examine which one uses this signature. I suspect, that all CAs were installed by using the same CAPolicy.inf? If so, you have to modify CAPolicy.inf by changing entry to AlternateSignatureAlgorithm = 0
.
If there are post-installation scripts, then replace (if this command present) the following command: certutil -setreg csp\alternatesignaturealgorithm 1
to certutil -setreg csp\alternatesignaturealgorithm 0
.
And renew all CA certificates with *new* key pair.
reference to perform CA renewal: Renewing a certification authority