Invalid Algorithm error on certificate signing

Invalid Algorithm specified error EC MoveHub certificates

Explaination of this error

When testing certificate access within the Eucaris Configuration tool you may encounter an invalid algorithm error when the Cryptographic Provider within the certificate is not compatible with the SHA version enforced by the .Net framework

When setting the broker inbound URL to SSL and you test access to this certificate in the Eucaris Configuration tool, to for example prodrive.acceptance.<country>.testa.eu  you may encounter a “invalid agorithm” error.
Starting release 4.7.2 of the .Net framework SHA-256 is considered the minimum secure SHA for signing (System.Security.Cryptography.Xml.SignedXml.ComputeSignature) a message with a certificate. However some certificates contain a default Cryptographic Provider which is not compatible with SHA-256 resulting in an “invalid algorithm” error.

with the command  certutil certificate.pfx you can see the Crypotographic Provider contained in the certificate.
Our broker communication is signed with xxx.eucaris-acc.testa.eu.pfx. When we perform the certutil command on this certificate, we see the Microsoft Enhanced RSA and AES Cryptographic Provider as Cryptographic Provider which support SHA-256 and is .Net 4.7.2. secure for signing
You can also add a SSL Server endpoint certificate to the broker. For example prodrive.acceptance.<country>.testa.eu. When we perform the certutil command on this certificate, we see the Microsoft RSA SChannel Cryptographic Provider as Cryptographic Provider which does not support SHA-256 and is not .Net 4.7.2. secure for signing

You may notice that setting the (for example) prodrive.acceptance.<country>.testa.eu certificate as server endpoint certifcate for the broker inbound connection you may encounter the “invalid algorithm” error when testing the access to this certificate in the configuration tool. The error won’t occur when you actual communicate with the Central HUB on acceptance/production.
The reason is that the test certificate access will do a signing which cannot be performed on .Net 4.7.2 with the Microsoft RSA SChannel Cryptographic Provider
However an endpoint certicate will NOT perform signing when using it.

Endpoint certicate:
A secure WCF client that connects to an endpoint with an X509 certificate identity verifies that the claims presented by the server contain the claim that contains the thumbprint of the certificate used to construct this identity. .Net 4.7.2 won’t fail on this for Microsoft RSA SChannel Cryptographic Provider as Cryptographic Provider.

Solution

Nevertheless we can make sure the test access within the Configuration Tool won’t give the error.
We have to import the certificate by setting a more secure Cryptographic Provider.

When we would like to install a certificate on the Eucaris machine containg a “wrong” default Cryptographic Provider we can override this provider when we import the certificate with the following command in a Command Promt window (start as administrator):
certutil.exe -csp “Microsoft Enhanced RSA and AES Cryptographic Provider” -importPFX <location on harddrive>\<service>.acceptance.<country>.testa.eu.pfx

An example:

certutil.exe -csp “Microsoft Enhanced RSA and AES Cryptographic Provider” -importPFX c:\temp\prodrive.acceptance.<country>.testa.eu.pfx

The default location where the certificate will be imported is the Personal/Certificates certifcate store on local machine.
Now the certifcate works without an error for signing (SHA-256 and .Net 4.7.2 secure) and as a X509 certificate identity.

In the future the EU Hub may provide certificates on an update Cryptographic Provider making the forced import unnecessary.

Advise: Please only use this workaround when you actual encouter “invalid agorithm” errors on certificates.