search cancel

Certificates using RSASSA-PSS signature algorithm supported?


Article ID: 193454


Updated On:


CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway


We have a certificate that has used the RSASSA-PSS signature algorithm.  (It happens to be our root level internal self-signed CA certificate)

When the Gateway attempts to verify the signature we get log messages like: Certificates do not conform to algorithm constraints. Caused by: Algorithm constraints check failed on signature algorithm: 1.2.840.113549.1.1.10

The OID identifies the RSASSA-PSS algorithm.

Java version:

$ /opt/SecureSpan/JDK/bin/java -version
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_222-b10)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.222-b10, mixed mode)

I've checked the issue database at OpenJDK and it appears a bunch of work has been going on to support this.  I cannot see however that in our particular circumstances whether this ought to work or not.

Is this known to work? Is it supported?


Release : 9.4

Component : API GATEWAY


he JDK in 9.4 doesnt support this algorithm yet. GW10 JDK should and possibly the next cr of 9.4

From our defect system I found the same algorithm with the following comments. 

"The certificate has signature algorithm RSASSA-PSS which is not supported on older JDKs. JDK 8 u241 has introduced support for PKCS#11 v2.40 which supports RSASSA-PSS algorithm. Please check the link below for more documentation"

"The certificate in the policy is not working on 9.4 OVA build 8872, as the jdk is 1.8.181. This jdk gives issue with that particular certificate. So the client has to use some other certificate other than the one currently in use which is compatible with jdk1.8.181 instead of jdk1.8.242. Otherwise they it is expected to be available in gateway 10 "