Views:

As a standard, TLS has no corresponding signature algorithm for RSASSA-PSS. Hence, RSASSA-PSS cannot be used on Deep Security. Although there are instances when AD servers and Windows CA may use and generate them.

Since RSASSA-PSS is not part of TLS standard, it is deemed unsecure and unsupported in Deep Security.

To resolve the error:

  1. Generate a certificate for Deep Security using a TLS-compatible signature algorithm such as SHA256 or SHA512.
  2. Rebuild the CA with the new signature algorithm. This is necassary since the signature algorithm is a base setting of CA.
  3. Renew all the published certificates for the system.

Alternatively, you may consider a self-signed certificate for your Active Directory only.

Keywords: certificate error,certificate,RSASSA-PSS,Active Directory SSL Handshake error,SSLHandshakeException: Received fatal alert: handshake_failure