Global Protect certificate Error: Certificate 'certname' failed to load: parse tbs certificate not supported algorithm

Reply
Highlighted
L0 Member

Global Protect certificate Error: Certificate 'certname' failed to load: parse tbs certificate not supported algorithm

What dose that error mean?

Im trying to get a simple certificate from an w2k8 server CA to use in the Global Protect.

The Secure WebGui certificate works fine.

Thx in adavanced.

Highlighted
L0 Member

I found the answer after alot of researching.

The problem is in in certificate signature algorithm.

When we set up the intermediate server we choose to use RSA512 as a signature algorithm. As it turns out the PA v4.1.5 dose not support RSA512.

If you are running a windows CA and need to change the signature algorithm. See the following url.

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/568ef7b7-5cad-4225-b35a-46...

Regards

PoTski

Highlighted
L1 Bithead

Thanks for the update.  Was looking at using SSL inspection via our CA.  We used 512RSA to stop Google Chrome moaning about being signed unsecurely when running MD5. Have already uninstalled and re-installed our CA to get this working, don't fancy the reg hack though.

Don't suppose you know if this is fixed in 4.1.6?

Highlighted
L6 Presenter

Isnt RSA512 just really bad?

At least use 1024 if your have performance concerns.

FIPS 140-2 states one should use 2048 while EU-CRYPTII says something like at least 2444 bits for assymetric encryption (in reality 4096 is the next step).

A true CA should use as high encryption as possible for example 16384 where the issued certs uses 4096 or such.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!