Replies: 2 comments 1 reply
-
|
You have a CA using RSA keys, but you have configured the certificate profile to use ML-DSA as signature algorithm. Signatures on certificates are always done by the CA so the signature algorithm in the certificate profile should be left as "Inherit by issuing CA". |
Beta Was this translation helpful? Give feedback.
-
|
The certificate profile is correctly configured to use RSA |
Beta Was this translation helpful? Give feedback.
-
|
This is a new issue now, different from the above. I feel like there is a mix up of concept between the CAs keys and the end user keys. The CA have signing keys used to sign certificates. These are also used to self-sign the Root CAs own certificate. The public key in the CAs own certificate matches the Cas private signing key. Now you have replaced the CA signing keys, but the CA certificate contains the old public key, so it does not match. You must now go into "Edit CA" and Renew the CAs certificate, you can find this under "CA life cycle". I hope the CA signing algorithm (what you see under Edit CA) is not something like SHA256WithRSA? After this you can go back and enroll end entities. Your ClientAuth certificate profile looks proper. It uses the signature algorithm from the CA (which should be SHA256WithRSA to match the CA keys you have created), And it only allow RSA as the end entity keys, which means that a CSR uploaded to the RA web will be rejecged if it doesn't have RSA 2048 keys, or if you choose server generated keys only RSA 2048 will be available to select in the RA Web. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
How are you ?
I'm experiencing an issue when trying to generate a PKCS#12 keystore during the enrollment process. I’ve tried using both ML-DSA and RSA key algorithms, but in both cases, the keystore generation fails.
Beta Was this translation helpful? Give feedback.
All reactions