Forum Discussion

kridsana_52318's avatar
kridsana_52318
Icon for Nimbostratus rankNimbostratus
Apr 24, 2015

F5 dual-certificate deployment to fix SHA-1 Deprecate issue

Hi   From this information SHA-1 Deprecate >> link from qualys   My customer sha-1 certificate is mark as insecure already. (He using APM and certificate expire on 2018)   If we renew certi...
BIG-IP Access Policy Manager (APM)
design
security
sha256
TMOS
nitass's avatar
nitass
Icon for Employee rankEmployee

i do see ivan mentioned apache uses two key types to support sha1 and sha256. can you also do that? it is supported since 11.5.0.

Ivan Ristic Oct 20, 2014 1:48 AM (in response to BRYAN S.G.)

Bryan, here are two pages from my book, Bulletproof SSL and TLS, that show how to use multiple keys with Apache: http://blog.ivanristic.com/downloads/bulletproof-ssl-and-tls_configuring-multiple-keys.pdf
Because this feature wasn't intended to be used to with around SHA1 issues, you can't have two RSA certificates, one with SHA1 and the other with SHA256. So you'd have to use RSA/SHA1 and ECDSA/SHA256.

sol15062: Associating multiple SSL certificate/key pair types with an SSL profile

https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html
kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Apr 27, 2015
So I need to add new certificate/key pair which use SHA256 in Key exchange mechanism into Client SSL profile . And change cipher suit to ex. DEFAULT:SHA256 , something like that, Am I right?