Windows Certificate Authority Delivers Certificates that Cannot be Read by PAN-OS

Issue

When using Windows Certificate Authority 2008R2 or later the following may be encountered:

• SSL client certificate authentication fails on Captive Portal or Global Protect
• LDAP over SSL connection are failing without a reason
• Server certificates signed by Windows CA for the use Management or Captive are failing to commit with error message saying there is a use of unsupported algorithms.
• Decryption Certificate CA signed by Windows CA fails to commit with error message saying there is a use of unsupported algorithms.

At the time of committing to a firewall, you will usually see the following error message which is not exclusive to this problem:

Error: Certificate failed to load: parse tbs certificate not supported algorithm.

Cause

By default Windows CA 2008R2 and later will use RSASSA-PSS algorithm to sign its certificates. This algorithm has poor support from many SSL stack vendors and with earlier version of Windows (pre Server2008 and WindowsVista), and is not currently supported by PAN-OS.

Resolution

Apply one of the following workarounds :

• [Preferred Solution] Use another Certificate Authority that doesn't make use of RSASSA-PSS algorithm
• Edit Windows CA server Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm and set its value to 0. Then delete/re-issue failing certificate with this CA.
  Warning: This operation is not officially supported by Microsoft and should be operated by a competent Windows administrator.

owner: cpainchaud