none
PKI - RSASSA-PSS to RSASHA256 RRS feed

  • Question

  • I currently have a 2 tire CA where the Signature Hash Algorithm used is RSASSA-PSS. Unfortunately as widely know this SHA has support issues and am now consider to switch to RSASHA256. I am aware that I will have to modify the Alternatesignaturealgortihm to 0 on both CAs. I have 3 questions:

    1. Do I need to renew both ROOT an INTERMEDIATE CA certificates with new key pairs, or is this only applicable for the ROOT CA?
    2. Will the certificates issued from the INTERMEDIATE CA still show as valid after this changeover in the Signature Hash Algorithm?
    3. Do you envisage further requirements for the successful continuation of the lifecycle of the CA?

    Thanks in advance.

    Wednesday, June 22, 2016 11:27 AM

Answers

  • You will need to remove the entry from any CAPolicy.inf file that has it defined. You will then need to renew any CA that is currently showing RSASSA-PSS as it's signature algorithm. No way to tell from this information which of your CAs have this in place. Start at the top of the chain (root) and work your way down. If you renew with the existing key, client certs should chain up to the newly renewed certificates. You should also check to make sure none of your templates have been configured to enable the signing of end-entity certificates with this value either - that is on the Cryptography tab of the template (only enabled if the provider is a Key Storage Provider in the template).

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Wednesday, June 22, 2016 8:00 PM
  • The reason is, as already stated, that you created this version of the CA certificate with alternatesignaturealgorithm=1 enabled.

    As Mark stated, you need to do the following:

    1) Root CA.

    - Remove the alternatesignaturealgorithm=1 line (or change it to 0) in the CAPolicy.inf

            - Renew the root CA certificate

            - Verify the signature on the certificate to ensure it is RSASHA256

    2) Each Issuing CA

            - Remove the alternatesignaturealgorithm=1 line (or change it to 0) in the CAPolicy.inf

            - Renew the root CA certificate

            - Verify the signature on the certificate to ensure it is RSASHA256

    3) Each certificate template

    - Ensure that you do not enable the option for alternate signature algorithm on the Cryptography tab.

    4) Re-issue all certificates affected.

    Brian

    Thursday, June 23, 2016 11:47 AM

All replies

  • You will need to remove the entry from any CAPolicy.inf file that has it defined. You will then need to renew any CA that is currently showing RSASSA-PSS as it's signature algorithm. No way to tell from this information which of your CAs have this in place. Start at the top of the chain (root) and work your way down. If you renew with the existing key, client certs should chain up to the newly renewed certificates. You should also check to make sure none of your templates have been configured to enable the signing of end-entity certificates with this value either - that is on the Cryptography tab of the template (only enabled if the provider is a Key Storage Provider in the template).

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Wednesday, June 22, 2016 8:00 PM
  • Thanks for the valuable feedback. From the templates I found that the provider is set as CSP but still, end-entity certificates which are signed by the intermediate CA have the Signature Algorithm field as RSASSA-PSS. How is this possible?
    Thursday, June 23, 2016 9:53 AM
  • The reason is, as already stated, that you created this version of the CA certificate with alternatesignaturealgorithm=1 enabled.

    As Mark stated, you need to do the following:

    1) Root CA.

    - Remove the alternatesignaturealgorithm=1 line (or change it to 0) in the CAPolicy.inf

            - Renew the root CA certificate

            - Verify the signature on the certificate to ensure it is RSASHA256

    2) Each Issuing CA

            - Remove the alternatesignaturealgorithm=1 line (or change it to 0) in the CAPolicy.inf

            - Renew the root CA certificate

            - Verify the signature on the certificate to ensure it is RSASHA256

    3) Each certificate template

    - Ensure that you do not enable the option for alternate signature algorithm on the Cryptography tab.

    4) Re-issue all certificates affected.

    Brian

    Thursday, June 23, 2016 11:47 AM

  • 4) Re-issue all certificates affected.

    Brian

    I got the impression that if the renewal of the issuing CA is done with the same key pair, shouldn't the already issued certs still line up the chain properly? Thanks all
    Thursday, June 23, 2016 1:35 PM
  • The issue is that the already issued certificates have the incorrect signature algorithm, so you need to replace all. They need to be SHA256RSA (per your original statement). Once a certificate is signed, that is it. It cannot be changed/edited. You need to re-issue all certs.

    Brian


    Thursday, June 23, 2016 1:59 PM
  • I know this is an old thread but we're in this situation now (we deployed with RSASSA-PSS, ran fine for  a couple of years but now a new app can't use those certs so we need to switch to RSASHA256).

    My understanding is this can be done without having to reissue all existing certificates but it's not clear to me whether this relies on the root & intermediate CA certs being renewed with the same key pair as is currently used or whether a new key pair could be used.

    I think Brian's previous comment in this thread is based on the assumption that the already-issued certificates don't work (and as you can't edit the algorithm in an end entity cert they would need to be re-issued in order to work). However I think the OP was in a similar situation to me, hundreds of already issued end entity certs work just fine, only a single newly-issued end entity is a problem.

    I need to assess the effort to fix this (vs the risk of leaving an existing working self-signed cert in place), the effort of creating new root and intermediate CA certs is a pain (signing ceremony etc. required) but manageable however if we can't leave the old certs + old CA chain in place and need to reissue all the existing end entity certs (that work fine with RSASSA-PSS) that's a different level of effort and service risk that would likely be unacceptable.

    Monday, September 16, 2019 8:44 AM