Skype For Business Certificate Encryption Agorithm RSASSA-PSS is not supported in Skype for Business

I ran into this issue for the first time and just wanted to document this. It was a bit of a surprise, but documented the fact

that Skye For Business is not supporting Current Encryption Methodology RSASSA-PSS. This was a real snake bite. Having

been involved in many deployments, I never ran into this issue. so a few point on this:

  • From Skype 4B stand point, look at this as a Certificate authority problem
    • besides failing calls you have
    • Bad certificate endpoint audits
    • bad chain audits
  • SHA1RSA is being phased out like this year was the deadline as I recall
  • You would expect SFB to have moved to more modern encryption
  • SHA2RSA is apparently not supported either but does support RSAPSS (which MS documentation says is supported)
  • And its True! Microsoft Windows has been more open then some of the other Departments, to support modern Authorization and Encryption.
  • But Certain things like Skype and possibly Exchange 2016 Secure Mail, may be limited to SHA1RSA as an absolute requirement. This has not changed as of 10.2017

So for the mean time, this means you are more and more likely, to find this occurring, and my article will become helpful. I will try to find some errors to post, to give you some terms of this challenge.

For Example:

  • Elliptic Curve Cryptography
  • Microsoft works with them all
  • To avoid this issue, you need to install you CA with “Use Alternate Signature Format” Unchecked, during Install.
  • If the issue is a Public Certificate, you will need to re-Request the Certificate and tell the Provider you do not want an Alternate Signature format for your PKCS #1 Version 2.1  Certificate.

I have it on my desk but i am out of time. But Early warning. The New RSASSA-PSS is not currently supported by SFB.

Yeah RSASSA-PSS is not supported signature algorithm for Lync/SFB servers, this information has been provided in the following article, https://technet.microsoft.com/en-us/library/gg398066(v=ocs.15).aspx

Like it. This 2013 article is what Microsoft Passed on for Skype for Business 2013.

L

Advertisements

One thought on “Skype For Business Certificate Encryption Agorithm RSASSA-PSS is not supported in Skype for Business

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s