NSX 4.2 Encryption Compatibility: Unsupported Certificates, Cipher Suites, and Protocols
search cancel

NSX 4.2 Encryption Compatibility: Unsupported Certificates, Cipher Suites, and Protocols

book

Article ID: 380830

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When attempting to upload a CA root certificate in NSX 4.2, you may encounter the error message:
"Error: The certificate uses an unsupported signature algorithm."

This error indicates that the signature algorithm of the uploaded certificate does not align with NSX 4.2’s cryptographic compatibility requirements. This KB article aims to provide additional context on the causes of this error and guidance for resolution.

Environment

VMware NSX

Cause

This error arises because NSX 4.2 exclusively supports certificates compliant with OpenSSL 3.0 standards, which enforce stricter cryptographic requirements. Certificates using deprecated or weak algorithms—such as SHA1, MD5, or with a key size of 1024 bits—are no longer compatible. Additionally, cipher suites or protocols considered insecure, like 3DES, SSL 3.0, TLS 1.0, and TLS 1.1, are also unsupported.

Resolution

Use certificates signed with supported algorithms, such as SHA-256 or stronger, and with a minimum key size of 2048 bits. Verify that the certificate does not use deprecated algorithms like SHA1 or MD5, and avoid unsupported protocols or cipher suites such as 3DES, SSL 3.0, TLS 1.0, and TLS 1.1.

Additional Information