NSX 4.2 Encryption Compatibility: Unsupported Certificates, Cipher Suites, and Protocols
Article ID: 380830
Updated On:
Products
Issue/Introduction
- When attempting to upload a certificate in NSX 4.2 or later, you may encounter the error message:
Error: The certificate uses an unsupported signature algorithm.
- This error indicates that the signature algorithm of the uploaded certificate does not align with NSX 4.2’s cryptographic compatibility requirements.
- If the error provides an OID (long series of digits and dots) as the currently used signature algorithm, you may search online to map it to the name of the algorithm.
For example:1.2.840.113549.1.1.5issha1-with-rsa-signature - The certificate may be self-signed leaf, CA-signed leaf or root CA certificates.
Environment
VMware NSX
Cause
This error arises because NSX 4.2 exclusively supports certificates compliant with OpenSSL 3.0 standards, which enforce stricter cryptographic requirements. Certificates using deprecated or weak algorithms such as SHA1, MD5, or with a key size of 1024 bits are no longer compatible. Additionally, cipher suites or protocols considered insecure, like 3DES, SSL 3.0, TLS 1.0, and TLS 1.1, are also unsupported.
When importing a leaf certificate, the whole chain must be provided (as per NSX Documentation - Import a Self-signed or CA-signed Certificate). Every certificate must use a supported signature algorithm (even the root CA certificate).
Resolution
Use certificates signed with supported algorithms, such as SHA-256 or stronger, and with a minimum key size of 2048 bits. Verify that the certificate does not use deprecated algorithms like SHA1 or MD5, and avoid unsupported protocols or cipher suites such as 3DES, SSL 3.0, TLS 1.0, and TLS 1.1.
When importing a CA-signed leaf certificate, ensure that the whole chain is compliant.
Additional Information
Cryptographic Support (Page 1483)
Feedback
