Layer7 API Gateway: The given key (algorithm=RSA) is not valid for SHA512withECDSA
Article ID: 111567
Updated On:
Products
STARTER PACK-7
CA Rapid App Security
CA API Gateway
Issue/Introduction
When using the 'Encode JSON Web Token' assertion and signing the JWT using the ECDSA algorithm you receive one of the following errors. This message will be present in the SSG logs.
The given key (algorithm=RSA) is not valid for SHA512withECDSA
The given key (algorithm=RSA) is not valid for SHA256withECDSA
The given key (algorithm=RSA) is not valid for SHA384withECDSA
The given key (algorithm=RSA) is not valid for SHA512withECDSA
The given key (algorithm=RSA) is not valid for SHA256withECDSA
The given key (algorithm=RSA) is not valid for SHA384withECDSA
Environment
Release:
Component: APIESM
Component: APIESM
Resolution
The issue occurs when trying to use an RSA private key to sign the JWT. When selecting a private key installed on the Gateway you will need to confirm you are using the correct key type.
In policy manager:
1) Open the Manage Private Keys dialog (Tasks -> Certificates, Keys and Secrets -> Manage Private Keys)
2) Look for the private key you are selecting to sign the JWT. Specifically take note of the 'Key Type' field.
If the key type is RSA xxxx bits, it cannot be used with the ECDSA algorithm. You will need to create a new private key opting for one of the Elliptic Curve algorithms.
In policy manager:
1) Open the Manage Private Keys dialog (Tasks -> Certificates, Keys and Secrets -> Manage Private Keys)
2) Look for the private key you are selecting to sign the JWT. Specifically take note of the 'Key Type' field.
If the key type is RSA xxxx bits, it cannot be used with the ECDSA algorithm. You will need to create a new private key opting for one of the Elliptic Curve algorithms.
Feedback
Yes
No
Powered by
