There is a large weakness in 1024 bit products created according
to the method described if you reuse F.
If N1 and N2 are both created with the same F, F can be calculated
immediately:
G = gcd(N1-1,N2-1) = 2Fk.
Factor G to get F, which is easy to spot because it is length 461 bits.
Additionally, security can be significantly weakened if the
difficulty of factoring N-1 is significantly easier than factoring N.
N-1 is a composite which can be significantly easier to factor than
a 1024 bit product of two 512 bit primes.
Based on the definitions and limitations of F, p and q in the question:
N = (2Fp+1)(2Fq+1)
Expanding
N = 4*F^2pq+2Fp+2Fq+1
Rearranging
N = 2F(2Fpq+p+q)+1
N-1 = 2F(2Fpq+p+q)
After factoring N-1 you have F, an approx. 461 bit prime.
Let u be (N-1)/2F = (2Fpq+p+q)
u = (2Fpq+p+q)
Then calculate s = mod(u,2F) = p+q,
q = s-p
Substitute s-p for q and s for p+q
u = (2Fp(s-p)+s)
u = 2Fps-2Fp^2+s
This results in a quadratic in p
-2Fp^2+2Fsp+s-u = 0
p = (Fs - sqrt(F(Fs^2 + 2s - 2u)))/(2F)
q = s-p
The two approx 512 bit primes can now be calculated.
N = (2Fp+1)(2Fq+1)
Note that factoring N-1 may still take a significant amount of time
requiring GNFS or CADO-NFS, but still significantly easier to factor
than a 1024 bit product of two 512 bit primes.
