Microsoft Certificate Authority Provider Compatibilty

pki certificate-authority

Solution 1:

The problem is that you put AlternateSignatureAlgorithm = 1 in the CA's CAPolicy.inf files. This entry enables alternate PKCS#1 v2.1 signature format. This format is supported by Windows CryptoAPI clients, however most legacy and 3rd party clients may not support this.

What you can do here? Look at each CA certificate and examine which one uses this signature. I suspect, that all CAs were installed by using the same CAPolicy.inf? If so, you have to modify CAPolicy.inf by changing entry to AlternateSignatureAlgorithm = 0. If there are post-installation scripts, then replace (if this command present) the following command: certutil -setreg csp\alternatesignaturealgorithm 1 to certutil -setreg csp\alternatesignaturealgorithm 0.

And renew all CA certificates with *new* key pair.

reference to perform CA renewal: Renewing a certification authority

Related

How can the SPICE password of a libvirt+kvm+qemu virtual machine be changed while the machine is running?
What standards should be used for email address names?
SSH keys: ed25519 vs RSA performance demystified
Chaining WireGuard Servers: Can ping both from client, but can't access internet. IP routing issue?
CA Recovery in Active Directory
Too many mounted filesystem
Are ZFS pools or LVM volume groups more reliable for utilizing many partitions?
Storing username in nginx logs
Why is fail2ban not banning this attack?
Does cloudflare know the decrypted content when using a https connection?
How to setup Gitlab-omnibus with non-bundled web-server?
Amazon SES and EC2 instance in different regions