Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

kridsana_52318's avatar
kridsana_52318
Icon for Nimbostratus rankNimbostratus
Apr 23, 2015

F5 dual-certificate deployment to fix SHA-1 Deprecate issue

Hi   From this information SHA-1 Deprecate >> link from qualys   My customer sha-1 certificate is mark as insecure already. (He using APM and certificate expire on 2018)   If we renew certi...
BIG-IP Access Policy Manager (APM)
design
security
sha256
TMOS
nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Apr 24, 2015

i do see ivan mentioned apache uses two key types to support sha1 and sha256. can you also do that? it is supported since 11.5.0.

Ivan Ristic Oct 20, 2014 1:48 AM (in response to BRYAN S.G.)

Bryan, here are two pages from my book, Bulletproof SSL and TLS, that show how to use multiple keys with Apache: http://blog.ivanristic.com/downloads/bulletproof-ssl-and-tls_configuring-multiple-keys.pdf
Because this feature wasn't intended to be used to with around SHA1 issues, you can't have two RSA certificates, one with SHA1 and the other with SHA256. So you'd have to use RSA/SHA1 and ECDSA/SHA256.

sol15062: Associating multiple SSL certificate/key pair types with an SSL profile

https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html
  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Apr 26, 2015
    So I need to add new certificate/key pair which use SHA256 in Key exchange mechanism into Client SSL profile . And change cipher suit to ex. DEFAULT:SHA256 , something like that, Am I right?