When attempting to upload a CA root certificate in NSX 4.2, you may encounter the error message:
"Error: The certificate uses an unsupported signature algorithm.
"
This error indicates that the signature algorithm of the uploaded certificate does not align with NSX 4.2’s cryptographic compatibility requirements. This KB article aims to provide additional context on the causes of this error and guidance for resolution.
VMware NSX
This error arises because NSX 4.2 exclusively supports certificates compliant with OpenSSL 3.0 standards, which enforce stricter cryptographic requirements. Certificates using deprecated or weak algorithms—such as SHA1, MD5, or with a key size of 1024 bits—are no longer compatible. Additionally, cipher suites or protocols considered insecure, like 3DES, SSL 3.0, TLS 1.0, and TLS 1.1, are also unsupported.
Use certificates signed with supported algorithms, such as SHA-256 or stronger, and with a minimum key size of 2048 bits. Verify that the certificate does not use deprecated algorithms like SHA1 or MD5, and avoid unsupported protocols or cipher suites such as 3DES, SSL 3.0, TLS 1.0, and TLS 1.1.