Configure the Key Size for SSL Forward Proxy Server Certificates
Focus
Focus

Configure the Key Size for SSL Forward Proxy Server Certificates

Table of Contents

Configure the Key Size for SSL Forward Proxy Server Certificates

When responding to a client in an SSL Forward Proxy session, the firewall creates a copy of the certificate that the destination server presents and uses the copy to establish a connection with the client. By default, the firewall generates certificates with the same key size as the certificate that the destination server presented. However, you can change the key size for the firewall-generated certificate as follows:
  1. Select DeviceSetupSession and, in the Decryption Settings section, click SSL Forward Proxy Settings.
  2. Select a Key Size:
    • Defined by destination host—The firewall determines the key size and the hashing algorithm for the certificates it generates to establish SSL proxy sessions with clients based on the destination server certificate. If the destination server uses a 1,024-bit RSA key, the firewall generates a certificate with a 1,024-bit RSA key. If the destination server uses a key size larger than 1,024 bits (for example, 2,048 bits or 4,096 bits), the firewall generates a certificate that uses a 2,048-bit RSA key. If the destination server uses the SHA-1 hashing algorithm, the firewall generates a certificate with the SHA-1 hashing algorithm. If the destination server uses a hashing algorithm stronger than SHA-1, the firewall generates a certificate with the SHA-256 algorithm. This is the default setting.
    • 1024-bit RSA—The firewall generates certificates that use a 1,024-bit RSA key and SHA-256 hashing algorithm regardless of the key size of the destination server certificates. As of December 31, 2013, public certificate authorities (CAs) and popular browsers have limited support for X.509 certificates that use keys of fewer than 2,048 bits. In the future, depending on security settings, when presented with such keys the browser might warn the user or block the SSL/TLS session entirely.
    • 2048-bit RSA—The firewall generates certificates that use a 2,048-bit RSA key and SHA-256 hashing algorithm regardless of the key size of the destination server certificates. Public CAs and popular browsers support 2,048-bit keys, which provide better security than the 1,024-bit keys.
    Changing the key size setting clears the current certificate cache.
  3. Click OK and Commit.