| Select one of the following: Defined
by destination host (default)—Select this option if
you want the firewall to generate certificates based on the key
that the destination server uses: If the destination
server uses an RSA 1,024-bit key, the firewall generates a certificate
with that key size and an SHA1 hashing algorithm. If the destination server uses a key size larger than 1,024
bits (for example, 2,048 bits or 4,096 bits), the firewall generates
a certificate that uses a 2,048-bit key and SHA-256 algorithm.
1024-bit RSA —Select this option if
you want the firewall to generate certificates that use an RSA 1,024-bit
key and the SHA-256 hashing algorithm regardless of the key size
that the destination server uses. As of December 31, 2013, public certificate
authorities (CAs) and popular browsers have limited support for
X.509 certificates that use keys of fewer than 2,048 bits. In the future,
depending on security settings, the browser might warn the user
or block the SSL/TLS session entirely when presented with such keys. 2048-bit RSA —Select this option if
you want the firewall to generate certificates that use an RSA 2,048-bit
key and the SHA-256 hashing algorithm regardless of the key size
that the destination server uses. Public CAs and popular browsers support
2,048-bit keys, which provide better security than the 1,024-bit
keys.
| 
