DESCRIPTION: EX SSL-VPN: AMC shows Certificate Warning message " Incompatible Signature Algorithm" after upgrading to 10.7.0 firmware
After upgrading the appliance from 10.6.x or even 10.5.x to 10.7.0 release, Administrator might see the following message under AMC - SSL Settings apge
The above warning will occur for the following scenarios:
a. Existing certificates with SHA-512 or MD* algorithm upgraded & used in the latest 10.7.0 release. b. Even if we didnt enforce TLS 1.2 on the appliance, these warnings are expected for any certificates installed/used with SHA-512 algorithm. Our plan is to help administrators plan the Certificate needs for TLS 1.2 Support. c. Even Authentication server related certificates (self signed using internal CA) with SHA-512 will show these warnings.
With the latest 10.7.0 release, we support TLS 1.2 protocol on our appliance. As SHA512 and MD* algorithms are not compatible with TLS 1.2, any existing or New certificates using these algorithms will show the warning message " Incompatible Signature Algorithm".
We recommend our customers to create/use a new certificate with SHA-1, SHA-256 or even SHA-384 Hash algorithm. We have this information documented in our 10.7.0 release notes for further reference. 10.7.0 Release Notes