IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
CERTIFICATES AND PKI
PKI or Public Key Infrastructure is a cryptographic system (based on asymmetric cryptography). It uses signatures and certifies public keys which make it possible to encrypt and sign messages or traffic in order to ensure confidentiality, authentication, integrity and non-repudiation.
The Stormshield Network PKI allows generating and issuing certification authorities (CAs) as well as certificates. These contain a key pair associated with information that may belong to a user, a server, etc. The aim of Stormshield Network’s PKI is to authenticate these elements.
When the SSL VPN feature is used, the CA (certification authority) “SSL VPN-full-default-authority” includes a server certificate “openvpnserver” and a user certificate “openvpnclient”. This allows the client and the Stormshield Network firewall’s SSL VPN service to identify each other without relying on an external authority.
NOTE
If the firewall has a TPM (Trusted Platform Module), the private keys in some of the firewall's certificates can be protected by the TPM. For more information, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.
The window of the Certificates and PKI module consists of three sections:
- At the top of the screen, the various possible operations in the form of a search bar and buttons.
- On the left, the list of authorities and certificates.
- On the right, details regarding the certification authority selected beforehand from the list on the left, as well as information regarding the CRL and the configuration of the CA or sub-CA.
The firewall's health indicator (in the upper banner of the web administration interface when there is an issue) uses probes that track validity dates and the statuses of certificates and certification authorities used in the configuration. These probes report anomalies in the following cases:
- Certificate expiring in fewer than 30 days,
- Certificate with a validity period in the future,
- Certificate expired,
- Certificate revoked,
- CRL of a CA that has exceeded half of its lifetime or which will be reaching it in fewer than 5 days,
- CRL of an expired CA.