CERTIFICATES AND PKI

PKI or Public Key Infrastructure is a cryptographic system (based on asymmetric cryptography). It uses signature mechanisms and certifies public keys (by associating a key to a user) which allow encrypting and signing messages as well as traffic in order to ensure confidentiality, authentication, integrity and non-repudiation.

The Stormshield Network PKI allows generating and issuing certificate authorities (CAs) as well as certificates. These contain a key pair associated with information that may belong to a user, a server, etc. The aim of Stormshield Network’s PKI is to authenticate these elements.

When the SSL VPN feature is used, the CA (certificate authority) “SSL VPN-full-default-authority” includes a server certificate “openvpnserver” and a user certificate “openvpnclient”. This allows the client and the Stormshield Network firewall’s SSL VPN service to identify each other without relying on an external authority.

 

The window of the Certificates and PKI module consists of 3 sections:

  • At the top of the screen, the various possible operations in the form of a search bar and buttons.
  • On the left, the list of authorities and certificates.
  • On the right, details regarding the certificate authority selected beforehand from the list on the left, as well as information regarding the CRL and the configuration of the CA or sub-CA.

 

Whenever you scroll over a certificate or a CA used in the firewall's configuration, the validity period of the item being scrolled over will appear in color in the following cases:

  • Certificate expiring in fewer than 30 days (expiration date in orange),
  • Certificate with a validity period in the future (start date in orange),
  • Expired certificate (expiration date in red),
  • Revoked certificate (end of validity period in red),
  • CRL of a CA that has exceeded half of its lifetime or which will be reaching it in fewer than 5 days (expiration date in orange),
  • CRL of an expired CA (expiration date in red),