Generate keypair using keytool taking care of PKCS1 v1.5 / Decryption failed

Question

I need to connect our SimpleSAMLphp SP to a customers SAML 2.0 IdP. We have done this several times before and it worked quiet well. Normaly the certificates of our customers have been created using OpenSSL and we havent had any issues before.

Our current customer is using Javas keytool to generate their certificate for the metadata exchange.

The certificate has been generated using the following command:

keytool -genkeypair -keystore saml.jks -alias idp-signing -dname "cn=idp-signing-INT" -validity 1825 -keyalg RSA -sigalg SHA256withRSA -keysize 2048

When I inspect the cert it looks something like this:

keytool -list -v -keystore saml.jks -alias idp-signing

Alias name: idp-signing
Creation date: 27-Jun-2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=idp-signing-INT
Issuer: CN=idp-signing-INT
Serial number: 5f09e950
Valid from: Tue Jun 27 12:00:34 CEST 2017 until: Sun Jun 26 12:00:34 CEST 2022
Certificate fingerprints:
     MD5:  85:E8:5D:EB:11:9B:CA:3C:02:06:65:A7:82:A4:4B:2B
     SHA1: 41:79:18:80:65:C4:D6:27:CD:27:05:11:AD:5A:43:33:60:C7:89:AA
     SHA256: 65:53:6E:FD:98:1E:0E:FE:B8:0F:50:11:EC:9A:06:FD:7C:27:F5:F5:D6:C8:11:AB:FA:D6:CE:80:86:09:CC:DF
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C 88 3B 15 B4 22 FD 83   B6 BE 35 7F 3E E4 72 1E  ..;.."....5.>.r.
0010: 30 7C 84 89                                        0...
]
]

Now when trying to authenticate via our customers IdP, our SP does not accept the IdPs certificate with the log message: Decryption failed: Algorithm disabled. It turns out, that simpleSAMLphp does not accept certificates using a PKCS#1 v1.5 encryption.

I could solve the problem pretty easy by removing that algorithm from simpleSAMLphps blacklist. But... To be honest... That is not a good solution. It would be nice to be able to generate a certificate using keytool that does not make use of PKCS#1 1.5 and just satisfies the recommendations.

Unfortunately I am not an encryption specialist and normally do not use java/keytool either.

Maybe someone can give me a hint on how our customer should generate their certificate the right way?

Would be really nice! Thanks in advance!