Forum Discussion
CirrusHow do I generate a csr that uses the SHA-2 algorithm?
My LTMs are 11.4.1 HF2. The 2 options that I have are RSA and DSA. I created a test certificate using DSA, but that certificate and key was not available in the drop-down list, when attempting to create an SSL profile. Do I need to upgrade to a higher software rev?
3 Replies
DerrickNimbostratus
Hi OTS02, I'm also looking into the same thing. We are running the latest version (11.6.0(HF1)) and see nothing for SHA-2 when creating a CSR. We have the same RSA and DSA options when creatingi it, but those are encryption algorithms; SHA is a Hashing algorithm. In 11.6.0 version, under Profiles, I see the "SSL Sign Hash" where you can select SHA1, SHA256, or SHA384. The trick for me is finding where SHA-2 can be selected, if any, when creating CSRs.
OTS02I see in Release Note: BIG-IP LTM and TMOS 11.2.0, that "This release supports Transport Layer Security (TLS) 1.2, the SHA 2 Cipher, and SHA256 hash." I am wondering if this is something that must be specified when the CSR is submitted to the CA.
- OTS02
I asked the question of my Symantec rep. This is his answer:
"You are right, the CSR will default to SHA-1. Below the CSR, there is the option box with multiple options with the first one defaulting to SHA-1 but there is an option right below in the option box that will show SHA-256. You will see the option box right below when submitting CSR and you will have to manually choose the SHA-256 option."
So with that question answered, I'm wondering if I apply a SHA-2 certificate to my websites, how many complaints will be generated by users who are using some oddball boutique browser?
