Microsoft Certificate Authority Provider Compatibilty

Question

So we are a mid-size enterprise refreshing our Microsoft PKI and looking to leverage it heavily across ther org for many things. ie Server to Server/Workstation encryption, Wireless TLS Encryption/Authentication ( Aruba ), Internal SSL Web Services, Domain Controller SLDAP from Server and Client Apps, etc...

We are 50/50 MAC-Windows on the client side and 70/30 CentOS/Windows server side.

Deploying a 3 tier MS PKI with an Offline Root using the MS RSA Software Provider:Signature Algorithm: RSASSA-PSS -Signature hash Algorithm: sha256

Well MAC OS X Mavericks and up won't play nice with the SSL certs issued, Oracle JDK 8 SSL Lib won't support and we need to provide an alternate library, Aruba Clearpass looks to possible have issues. New versions of firefox are balking.

Anyway, Has anyone gone through this recently and have any advice to offer. Getting on call with MS to get some advisory info and we have a ticket open with Apple.

Open for recommendations.

Thanks

Answer 1

The problem is that you put AlternateSignatureAlgorithm = 1 in the CA's CAPolicy.inf files. This entry enables alternate PKCS#1 v2.1 signature format. This format is supported by Windows CryptoAPI clients, however most legacy and 3rd party clients may not support this.

What you can do here? Look at each CA certificate and examine which one uses this signature. I suspect, that all CAs were installed by using the same CAPolicy.inf? If so, you have to modify CAPolicy.inf by changing entry to AlternateSignatureAlgorithm = 0. If there are post-installation scripts, then replace (if this command present) the following command: certutil -setreg csp\alternatesignaturealgorithm 1 to certutil -setreg csp\alternatesignaturealgorithm 0.

And renew all CA certificates with *new* key pair.

reference to perform CA renewal: Renewing a certification authority