SMC certificate expiration on July 04, 2022, update your SMC !
Update is not possible? See the SMC not functionnal after the 4th of July 2022 article on the KB (authentication required).
Disabling TPM (Trusted Platform Module) certificate protection during installation on the firewall
More recent models of SNS 3100 firewalls offer certificate protection with TPM chips from version 3.10 of SNS and upwards.
Whenever you install an identity (.p12 format) on an SNS firewall from the SMC server, certificate protection via TPM chip is enabled by default. The certificate is protected by a password stored on the TPM chip.
In SMC, TPM-protected certificates can only be used in IPsec VPN topologies with encryption profiles of the type IKEv2.
To create VPN topologies with IKEv1 encryption profiles, disable this protection using the environment variable
If a TPM chip has been installed and enabled on an SNS model firewall, whenever you install a certificate on a firewall from the SMC server, the TPM chip will protect the certificate.
To find out whether a certificate is protected by a TPM chip, go to the following panels in the SMC server web administration interface:
- In the Configuration > Certificats menu, show the Storage column (hidden by default). The status Protected is indicated in the column if the certificate is protected by a TPM chip.
- In a firewall's IPSEC VPN properties, the status Protected is indicated in the X509 certificate's characteristics.
Whenever you install a new certificate on the firewall, the status will also be indicated in the window showing the results of the installation of a certificate.
To disable TPM protection when you install a certificate on an SNS firewall from the SMC server, the
FWADMIN_FW_TPM_DISABLED environment variable needs to be modified:
- Log on to the SMC server via the console port or in SSH.
- In the file /data/config/fwadmin-env.conf.local, change the value of the environment variable:
- Restart the server with the command
- To enable TPM protection on a certificate that has already been installed on a firewall, run the following SNS CLI script from the Scripts/SNS CLI scripts menu:
PKI CERTIFICATE PROTECT caname=myca name=mycert tpm=ondisk