• While replacing Manager SSL certificates encounters the following error:

POST https://<nsx-manager>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certid>

{ "error_code": 36432, "error_message": "Certificate validation failed. Reason: Certificate CN=<redacted> does not use supported signature algorithm.", "module_name": "node-services" }

• Using OpenSSL, the signature algorithm is identified as rsassaPss

$ openssl x509 -text -noout < manager.cer | grep "Signature Algorithm"
        Signature Algorithm: rsassaPss         
        Signature Algorithm: rsassaPss.

VMware NSX 

NSX does not support the RSASSA-PSS algorithm.

Use the NSX-supported algorithms. NSX Manager only allows the following signature schemes:

        VALID_ALGORITHMS.put("1.2.840.113549.1.1.11", "SHA256WithRsaEncryption");
        VALID_ALGORITHMS.put("1.2.840.113549.1.1.12", "SHA384WithRsaEncryption");
        VALID_ALGORITHMS.put("1.2.840.113549.1.1.13", "SHA512WithRsaEncryption");
        VALID_ALGORITHMS.put("1.2.840.10045.4.3.2", "ECDSA-WITH-SHA256");
        VALID_ALGORITHMS.put("1.2.840.10045.4.3.3", "ECDSA-WITH-SHA384");
        VALID_ALGORITHMS.put("1.2.840.10045.4.3.4", "ECDSA-WITH-SHA512");
        VALID_ALGORITHMS.put("2.16.840.1.101.3.4.3.2", "DSA-WITH-SHA256");

This behavior is expected and stems for the current product's supported algorithm limitations. NSX Supports a specific set of algorithms, as listed above in Resolution section. 

The RSASSA-PSS algorithm is currently not supported or implemented. To consider the implementation of this algorithm in the future, please raise a feature request on Feature Requests Portal