unsupported_certificate (43)

Unsupported Certificate

criticalTLS Alert

The unsupported_certificate alert (TLS alert code 43) is sent when a certificate is received that has a type not supported by the TLS implementation. This can mean the certificate uses an unsupported key algorithm (e.g., an EdDSA certificate where only RSA and ECDSA are accepted), unsupported key size (e.g., a 512-bit RSA key), or has features or extensions that the peer's TLS library cannot process. This alert is relatively rare in practice because most modern TLS implementations support standard RSA and ECDSA certificates, but it can occur with exotic configurations or very old TLS libraries.

Common Causes

Certificate uses unsupported key algorithm

high

The certificate uses a key algorithm that the peer does not support, such as DSA, Ed25519, or Ed448 in environments that only support RSA and ECDSA. This can happen when the server or client has a newer certificate type than the other side can handle.

Key size too small or too large

medium

Modern TLS implementations reject RSA keys smaller than 2048 bits for security reasons. Conversely, some implementations may not support very large key sizes (e.g., 8192-bit RSA). Either extreme can trigger this alert.

Certificate version not supported

low

The certificate may be a v1 X.509 certificate (lacking the extensions field) when the TLS implementation requires v3 certificates. Modern CAs always issue v3 certificates, but legacy or custom-generated certificates may use older versions.

How to Fix It

Check the certificate key type and size

Inspect the certificate's public key algorithm and key size. Ensure it uses RSA (2048+ bits) or ECDSA (P-256 or P-384), which are universally supported.

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -E 'Public Key Algorithm|Public-Key'

Verify certificate version

Confirm the certificate is X.509 v3. Older v1 certificates lack the extensions field and may not be accepted by modern TLS stacks.

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep 'Version:'

Reissue with a supported key type

If the certificate uses an unsupported algorithm, generate a new key with a widely supported type (RSA 2048+ or ECDSA P-256) and reissue the certificate.

openssl ecparam -genkey -name prime256v1 -out key.pem && openssl req -new -key key.pem -out csr.pem

Related Error Codes

bad_certificate (42)

Bad Certificate

A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.

certificate_unknown (46)

Certificate Unknown

The certificate was rejected for a reason not covered by other specific TLS certificate alerts.

handshake_failure (40)

TLS Handshake Failure

The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.

Frequently Asked Questions

All SSL/TLS Error Codes

unsupported_certificate (43)

Unsupported Certificate

criticalTLS Alert

Common Causes

Certificate uses unsupported key algorithm

high

Key size too small or too large

medium

Certificate version not supported

low

How to Fix It

Check the certificate key type and size

Inspect the certificate's public key algorithm and key size. Ensure it uses RSA (2048+ bits) or ECDSA (P-256 or P-384), which are universally supported.

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -E 'Public Key Algorithm|Public-Key'

Verify certificate version

Confirm the certificate is X.509 v3. Older v1 certificates lack the extensions field and may not be accepted by modern TLS stacks.

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep 'Version:'

Reissue with a supported key type

If the certificate uses an unsupported algorithm, generate a new key with a widely supported type (RSA 2048+ or ECDSA P-256) and reissue the certificate.

openssl ecparam -genkey -name prime256v1 -out key.pem && openssl req -new -key key.pem -out csr.pem

Related Error Codes

bad_certificate (42)

Bad Certificate

A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.

certificate_unknown (46)

Certificate Unknown

The certificate was rejected for a reason not covered by other specific TLS certificate alerts.

handshake_failure (40)

TLS Handshake Failure

The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.

Unsupported Certificate

Common Causes

Certificate uses unsupported key algorithm

Key size too small or too large

Certificate version not supported

How to Fix It

Check the certificate key type and size

Verify certificate version

Reissue with a supported key type

Related Error Codes

Bad Certificate

Certificate Unknown

TLS Handshake Failure

Frequently Asked Questions

What does unsupported_certificate (43) mean?

What causes unsupported_certificate (43)?

How do I fix unsupported_certificate (43)?

Unsupported Certificate

Common Causes

Certificate uses unsupported key algorithm

Key size too small or too large

Certificate version not supported

How to Fix It

Check the certificate key type and size

Verify certificate version

Reissue with a supported key type

Related Error Codes

Bad Certificate

Certificate Unknown

TLS Handshake Failure

Frequently Asked Questions

What does unsupported_certificate (43) mean?

What causes unsupported_certificate (43)?

How do I fix unsupported_certificate (43)?