Disabling TPM (Trusted Platform Module) certificate protection during installation on the firewall

If a TPM chip has been installed and enabled on an SNS model firewall, whenever you install a certificate on a firewall from the SMC server, the TPM chip will protect the certificate.

To find out whether a certificate is protected by a TPM chip, go to the following panels in the SMC server web administration interface:

• In the Configuration > Certificats menu, show the Storage column (hidden by default). The status Protected is indicated in the column if the certificate is protected by a TPM chip.
  
• In a firewall's IPSEC VPN properties, the status Protected is indicated in the X509 certificate's characteristics.
  

Whenever you install a new certificate on the firewall, the status will also be indicated in the window showing the results of the installation of a certificate.

To disable TPM protection when you install a certificate on an SNS firewall from the SMC server, the FWADMIN_FW_TPM_DISABLED environment variable needs to be modified:

1. Log on to the SMC server via the console port or in SSH.
2. In the file /data/config/fwadmin-env.conf.local, change the value of the environment variable: FWADMIN_FW_TPM_DISABLED=true
3. Restart the server with the command nrestart fwadmin-server

• To enable TPM protection on a certificate that has already been installed on a firewall, run the following SNS CLI script from the Scripts/SNS CLI scripts menu:

PKI CERTIFICATE PROTECT caname=myca name=mycert tpm=ondisk