Connection to a LDAP Server Fails With Error: "Certificates does not conform to algorithm constraints."Description<!-- div.margin{ padding: 10px 40px 40px 30px; } table.tocTable{ border: 1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); padding-top: .6em; padding-bottom: .6em; padding-left: .9em; padding-right: .6em; } table.noteTable{ border:1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); width: 100%; border-spacing:2; } table.internalTable{ border:1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); width: 100%; border-spacing:0; } .sp td{ border-bottom: 1px solid; border-right: 1px solid; border-color:#E0E0E0; background-color: #ffffff; height: 20px; padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; } .sphr td{ border-right: 1px solid; border-bottom: 1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; height: 20px; } .title { color: #D1232B; font-weight:; font-size:25px; } .hd1{ color: #D1232B; font-weight:; font-size:18px; } .hd2{ color: #646464; font-weight:bold; font-size:16px; } .hd3{ color: #7a7a7a; font-weight:; font-size:16 px; text-decoration:; } .hd4{ color: #000000; font-weight:bold; font-size:14 px; text-decoration:; } --> Connection to a LDAP Server Fails With Error "Certificate does not conform to algorithm constraints." Problem An LDAP connection fails with the error "Certificate does not conform to algorithm constraints" and although you have gone through the troubleshooting steps in the articles KB0597327 and KB0621974, the same error remains. Cause The LDAP certificate Signature Algorithm is using an older algorithm that is no longer compatible with Java JDK 1.8. To determine whether this is the case: From a terminal window, SSH to one of the application server nodes of the instance that is having the issue. Execute the following from the terminal window command line: openssl s_client -connect <LDAP Server IP address or hostname>:<LDAP Port> -servername sha1.badssl.com 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm' Note whether the following is returned: Signature Algorithm: rsassaPssSignature Algorithm: rsassaPss This result confirms that this is an out-of-date signature algorithm that will not be compatible with JDK 1.8. For example: $ openssl s_client -connect 66.109.88.6:636 -servername sha1.badssl.com 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm' Signature Algorithm: rsassaPss Signature Algorithm: rsassaPss Java 8 does not support the RSA-PSS signature signing algorithm, which can be used by Microsoft CAs. The following organizations have documented problems for this signature algorithm: https://bugs.openjdk.java.net/browse/JDK-8166595https://support.mozilla.org/en-US/questions/986085 The following example shows a compatible JDK 1.8 signature algorithm: $ openssl s_client -connect 66.109.88.6:636 -servername sha1.badssl.com 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm' Signature Algorithm: sha256WithRSAEncryptionSignature Algorithm: sha256WithRSAEncryption If the command returns a different Signature Algorithm than the unsupported rsassaPss, check online to determine whether the returned Signature Algorithm is supported in Java 8. Resolution Apply a new or updated certificate on your LDAP that uses a Signature Algorithm that is supported by Java 8, for example, sha256WithRSAEncryption. If the certificate is updated on the LDAP server, you also need to import the certificate into ServiceNow. For more information, refer to the documentation topic Certificates.