Reset Search



KB16483 - Does the PCS device support SHA256 (SHA2) Device Certificates and JavaSoft Certificates?

« Go Back


Last Modified Date11/12/2015 4:30 AM

This article describes the PCS device support available for SHA256 (SHA2) Device Certificates and JavaSoft certificates.

Problem or Goal

If the Device Certificate imported into an PCS appliance is signed with SHA256 (SHA2), certificate authentication may fail with this error:

Invalid or expired certificate. Check that your certificate is valid and up-to-date, and try again.

You may also see the wrong-cert reason string in the welcome.cgi URL, as in this example:

https://<IP ADDRESS>/dana-na/auth/url_default/welcome.cgi?p=wrong-cert

If a JavaSoft certificate signed with SHA256 (SHA2) is used to re-sign applets, applet launch may fail with this error:

Security Exception. Could not verify signing in resource.

This can happen if the JavaSoft Certificate is imported directly into the PCS appliance and is used to re-sign web controls or Java Applets. This can also happen if the JavaSoft Certificate is not imported, but a JavaSoft Certificate signed with SHA256 (SHA2) is used to sign an internal Java Applet accessed through the URL Rewriter.


As of 6.4R5, 6.5R3, and 7.0R1 and later releases, Device Certificates imported into the PCS appliance support the SHA256 (SHA2) cipher.

From 8.1R1 and above, Java Applets signed with SHA2 (through the rewrite engine) or JavaSoft Code Signing certificate signed by SHA2 are supported. For 8.0RX and below, you may resign the java applet with a SHA1 as a workaround until the PCS software can be upgraded.


As a workaround, you can enable the following in your JAR signer:

  • digestalg SHA1
  • sigalg SHA1withRS

Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255