For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dean_01_141460's avatar
Dean_01_141460
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

Network Solutions ssl csr with F5 11.5.1

We have purchased our certs from Network Solutions in the past and we recently upgraded to 11.5.1. When I go to post the csr into Network Solutions form I get a error stating "The CSR provided uses an unsupported signature algoritm. Supported algorithms are: md5withrsa, sha1withrsa, oid 1.2.840.113549.1.1.4. oid 1.2.840.113549.1.1.5". I called Network Solutions support and there was no way around it. I then went to a older F5 we have running 9.4.4, created the cert, exported the csr and Network Solutions took it. Anyone experience anything similar or know if F5 changed the ssl signature algorithm in the latest release?

 

application delivery
clientssl
deployment
LTM
security

5 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 18, 2014

    i think 11.5.1 uses sha2 as signature algorithm. you may use openssl command instead.

    [root@ve11a:Active:In Sync] config  tmsh show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.5.1
  Build    0.0.110
  Edition  Final
  Date     Wed Mar 12 15:44:53 PDT 2014

[root@ve11a:Active:In Sync] config  openssl req -text -noout -in /config/ssl/ssl.csr/testcsr.csr |grep Signature\ Algorithm
    Signature Algorithm: sha256WithRSAEncryption
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Apr 21, 2014

    Honestly you should be wanting to move your signing algorithms to SHA2 anyway. Microsoft has already announced that deprecation date for SHA1 as 1/1/2016 and that by 1/1/2017 Windows will not accept any SHA1 signed certificates.

     

    http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

     

    Also you can reference this NIST guidance for moving forward as well. If you want to take the time to read through it :)

     

    http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf

     

    Personally I would questions your CA as to why they will not allow you to use a more secure algorithm. I can understand allowing for you as the customer to choose to issue at SHA1 for compatibility issues, but not even allowing SHA2 as a choice seems like a bad decision to me. I am currently issuing everything as SHA2 unless there is a technical limitation on a server that requires SHA1.

     

  • Kip_Young_DL_14's avatar
    Kip_Young_DL_14
    Icon for Nimbostratus rankNimbostratus
    Jul 30, 2014

    We are experiencing the same frustration with Network Solutions now. I do not have an older F5 to generate the CSR from unfortunately. Any suggestions on a workaround?

     

  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Jul 30, 2014

    The only workaround I can think of is what nitass said, use the command line openssl. You can do this on probably any linux box, on the F5, or even cygwin on windows(with openssl installed)

     

    Gen a CSR with a new Private KEY: openssl req -out CSR.csr -new -newkey rsa:2048 -sha1 -nodes -keyout privateKey.key

     

    You will need to import the above privateKey.key into the F5 along with your new certificate. Remove the -nodes if you want to password protect the private key.

     

    If you want to reuse a private key, use: openssl req -out CSR.csr -key privateKey.key -new -sha1

     

    • mimlo_61970's avatar
      mimlo_61970
      Icon for Cumulonimbus rankCumulonimbus
      Jul 30, 2014
      Also, see http://www.sslshopper.com/article-most-common-openssl-commands.html for more openssl command line help