For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jorge_Herran_14's avatar
Jorge_Herran_14
Icon for Altostratus rankAltostratus
May 06, 2015

Implementing a Certificate with SHA2

I need to request a certificate from an authority which has to be SHA-2, I only see RSA, DSA or ECDSA to chose from, and the bits. The question is if I chose RSA with 2048 bits, the hash algorithm will be sha-2

 

application delivery
deployment
LTM
security

13 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 07, 2015

    i understand by default it is changed to sha256 since 11.5.0.

    ID389552 - Use SHA-256 instead of SHA1 when signing RSA keys.

    this is 11.6.0.

    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) create sys crypto key test.key key-size 2048 gen-csr country US city Seattle state WA organization acme ou IT common-name test.acme.com email-address test@acme.com
To sign a third party certificate use:

-----BEGIN CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQH
EwdTZWF0dGxlMQ0wCwYDVQQKEwRhY21lMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMN
dGVzdC5hY21lLmNvbTEcMBoGCSqGSIb3DQEJARYNdGVzdEBhY21lLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5Uw3n1e6dMTVmqcxo+6nrjSQOY
ABgvId7WawMVPAti6oSSZNNx0DbwJhdzd/9sfvBLKVpfak8WdH0KjrIdUyriqIwY
XZisMwqMNXgAZUgEym1azgPAYUSUuXDjT6OSJcEY2+DY0ilwc/VODm5kQPCs48Fn
+q6Y7Fz+g80gDnle9pKm/1ivnsrbFxEIoDwVUUPhjFTeCcPOkUcHMsM0oUWfFF1b
kxWBt7c8Qba/cv7IbTADlDn5V72fEhGTIFkrzxmlRbdlt4UNSmSLZDd/1+vUw8re
DcedSdVaRcnud+5T+t+6xZAmFDug0qLg17qo0Zj8nvZ+VeEue2zLmR42KC8CAwEA
AaAeMBwGCSqGSIb3DQEJATEPFg10ZXN0QGFjbWUuY29tMA0GCSqGSIb3DQEBCwUA
A4IBAQAdDk2q8Bq6Fpbt4N4rG5WADC13ohroFaHLt1V0wHUsrDrhH9OmFGZVKIrt
9o2yZGOvynn9Nc4DpvSHOF8e5mH5gejmrmtkfLI3JlcRLe9iyc0muwFvPKfyFTZk
/+BL1CGmbUUAmfLBOHNZS/eF4665ePwz74YsfdsehFMMKvkrz0cUea78zPaboKBn
wldgyD83k9VthnmZ0yU9phIGSE7QcGGeVfs6Q/hS8MzD70f4r16HZSrfB4UFV8OO
WF+NrVDRgaMsp3LtHpZfIk1XXAol2DYgYNZjEcteZ++5j9c/OpiWjTYQkMGSQd/G
X7K2wb7EykRd1oxYwj0J3EVWuTCw
-----END CERTIFICATE REQUEST-----
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) q
[root@ve11c:Active:In Sync] config 
[root@ve11c:Active:In Sync] config  openssl req -noout -text -in /config/ssl/ssl.csr/test.csr | grep -i signature
    Signature Algorithm: sha256WithRSAEncryption
    • Jorge_Herran_14's avatar
      Jorge_Herran_14
      Icon for Altostratus rankAltostratus
      May 07, 2015
      thanks nitass. I will do as you have show me. I understand for your answer that it isn't possbile to do it from the graphical interface right?
    • Jorge_Herran_14's avatar
      Jorge_Herran_14
      Icon for Altostratus rankAltostratus
      May 07, 2015
      Hi nitass you know i checked the certificate that i have generated from the graphical interface and you know it is sha256, so when you select RSA on the version 11.6, it use by defect sha256. There is my check thanks to your info: [root@ltm1:Active:In Sync] config openssl req -noout -text -in /config/ssl/ssl .csr/aunclic.grupobancolombia.com.csr | grep -i signature Signature Algorithm: sha256WithRSAEncryption
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    May 07, 2015

    i understand by default it is changed to sha256 since 11.5.0.

    ID389552 - Use SHA-256 instead of SHA1 when signing RSA keys.

    this is 11.6.0.

    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) create sys crypto key test.key key-size 2048 gen-csr country US city Seattle state WA organization acme ou IT common-name test.acme.com email-address test@acme.com
To sign a third party certificate use:

-----BEGIN CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQH
EwdTZWF0dGxlMQ0wCwYDVQQKEwRhY21lMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMN
dGVzdC5hY21lLmNvbTEcMBoGCSqGSIb3DQEJARYNdGVzdEBhY21lLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5Uw3n1e6dMTVmqcxo+6nrjSQOY
ABgvId7WawMVPAti6oSSZNNx0DbwJhdzd/9sfvBLKVpfak8WdH0KjrIdUyriqIwY
XZisMwqMNXgAZUgEym1azgPAYUSUuXDjT6OSJcEY2+DY0ilwc/VODm5kQPCs48Fn
+q6Y7Fz+g80gDnle9pKm/1ivnsrbFxEIoDwVUUPhjFTeCcPOkUcHMsM0oUWfFF1b
kxWBt7c8Qba/cv7IbTADlDn5V72fEhGTIFkrzxmlRbdlt4UNSmSLZDd/1+vUw8re
DcedSdVaRcnud+5T+t+6xZAmFDug0qLg17qo0Zj8nvZ+VeEue2zLmR42KC8CAwEA
AaAeMBwGCSqGSIb3DQEJATEPFg10ZXN0QGFjbWUuY29tMA0GCSqGSIb3DQEBCwUA
A4IBAQAdDk2q8Bq6Fpbt4N4rG5WADC13ohroFaHLt1V0wHUsrDrhH9OmFGZVKIrt
9o2yZGOvynn9Nc4DpvSHOF8e5mH5gejmrmtkfLI3JlcRLe9iyc0muwFvPKfyFTZk
/+BL1CGmbUUAmfLBOHNZS/eF4665ePwz74YsfdsehFMMKvkrz0cUea78zPaboKBn
wldgyD83k9VthnmZ0yU9phIGSE7QcGGeVfs6Q/hS8MzD70f4r16HZSrfB4UFV8OO
WF+NrVDRgaMsp3LtHpZfIk1XXAol2DYgYNZjEcteZ++5j9c/OpiWjTYQkMGSQd/G
X7K2wb7EykRd1oxYwj0J3EVWuTCw
-----END CERTIFICATE REQUEST-----
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) q
[root@ve11c:Active:In Sync] config 
[root@ve11c:Active:In Sync] config  openssl req -noout -text -in /config/ssl/ssl.csr/test.csr | grep -i signature
    Signature Algorithm: sha256WithRSAEncryption
    • Jorge_Herran_14's avatar
      Jorge_Herran_14
      Icon for Altostratus rankAltostratus
      May 07, 2015
      thanks nitass. I will do as you have show me. I understand for your answer that it isn't possbile to do it from the graphical interface right?
    • Jorge_Herran_14's avatar
      Jorge_Herran_14
      Icon for Altostratus rankAltostratus
      May 07, 2015
      Hi nitass you know i checked the certificate that i have generated from the graphical interface and you know it is sha256, so when you select RSA on the version 11.6, it use by defect sha256. There is my check thanks to your info: [root@ltm1:Active:In Sync] config openssl req -noout -text -in /config/ssl/ssl .csr/aunclic.grupobancolombia.com.csr | grep -i signature Signature Algorithm: sha256WithRSAEncryption