Ensuring the PKI's compliance with DR mode

Recap of IPsec DR recommendations for the PKI

Certificates, from the peer certificate up to the trust anchor, must comply with the following specifications:

  • The size of keys used in certificates has been set at 256 bits,
  • ECDSA or ECSDSA signature on an ECP 256 (SECP) or BP 256 (Brainpool) curve,
  • SHA256 as the hash algorithm.

IMPORTANT
These constraints apply to the entire trust chain, i.e., beginning from the peer certificate up to the first trust anchor (first CA or sub-CA) that complies with these specifications.

External PKIs

If the PKI complies with IPsec DR recommendations (criteria described above)

From the certification authority that will manage the identities of DR mode-compatible peers:

  1. Generate the identities of all IPsec peers to be made DR mode-compatible. Do note that SNS firewalls support the EST (enrollment over secure transport) protocol in a DR context.
  2. Export these identities (certificate + private key).
  3. Import each identity on the peer in question. For SNS firewalls, refer to the section Importing an identity on each peer to be made DR mode-compatible.

If the PKI does not comply with IPsec DR recommendations (criteria described above)

  1. Go to your Root CA and create a sub-CA1 that complies with the above criteria.
  2. Create a sub-CA2 under sub-CA1 that complies with the same criteria: this new sub-CA2 will be the trust anchor of the trust chain.
    Although the first sub-CA1 complies with IPsec DR recommendations regarding the signature of peer certificates, its own certificate was signed by the RootCA, which does not comply with these criteria. The certificate of the sub-CA1 therefore does not comply with IPsec DR recommendations.

From this trust anchor:

  1. Generate the identities of all IPsec peers to be made DR mode-compatible.
  2. Export these identities (certificate + private key).
  3. Import each identity on the peer in question. For SNS firewalls, refer to the section Importing an identity on each peer to be made DR mode-compatible.

Internal PKIs (PKIs on an SNS firewall)

NOTE
In this example, the CA that signs the certificates of all peers that will be made compatible with DR mode exists/is created on the SNS firewall in a version that complies with IPsec DR recommendations.

If a CA (or sub-CA) that complies with IPsec DR recommendations already exists on the firewall

On firewalls in an SNS version that complies with the ANSSI's IPsec DR recommendations:

  1. Go to Configuration > Objects > Certificates and PKI.

  2. In the list of CAs and certificates, select the CA (or sub-CA) that will sign the IPsec certificates compatible with DR mode.
    Details of this CA (or sub-CA) will appear in the section on the right.
  3. In Details > Hashes section, ensure that the signature algorithm is ecdsa-with-SHA256. If this is not the case, create a CA (or sub-CA) with a Key type set to SECP or BRAINPOOL and Key size set to 256 bits.
  4. In the Certificate profiles tab, ensure that the URIs of the CA's (or sub-CA's) CRL distribution points have been specified. If this is not the case, add them.

    5. NOTE
    The certificates signed by this CA (or sub-CA) before CRL distribution points were added must be generated again to apply this change.

  5. In the Certificate profiles tab, ensure in the Certification authority, User certificates and Server certificates sections that:
    • The Key type is set to SECP or BRAINPOOL,
    • The Key size is set only to 256 bits,
    • The Checksum is set to sha256.

    If any of the settings differ from the imposed values, change it to select the right value.

  6. Click on Apply to apply any changes made.

If a CA that complies with IPsec DR recommendations must be created

On firewalls in an SNS version that complies with the ANSSI's IPsec DR recommendations:

Creating the CA

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Click on Add.
  3. Select Root authority.
    A wizard will automatically appear.
  4. Enter a Name (CA-DR in this example).
    The ID will automatically be filled in with the name of the CA. This name can be changed.
  5. Enter the attributes of the authority:
    • Organization (O),
    • Organizational Unit (OU),
    • Locality (L),
    • State (ST),
    • Country (C).

EXAMPLE
Organization (O): Stormshield
Organizational unit (OU): Documentation
Locality (L): Lille
State (ST): Nord
Country (C): France.

  1. Click on Next.
  2. Enter then confirm the Password that protects the CA.
  3. You can enter the contact E-mail address for this CA.
  4. The default validity suggested for the CA is 3650 days (recommended value).
    This value can be changed.
  5. Key type: SECP or BRAINPOOL must be selected.
  6. Key size (bits): 256 must be selected.
  7. Click on Next.
  8. CRL distribution points: add the URIs of the CRL distribution points that your peers' IPsec devices can contact to verify the validity of the certificates issued by your CA.
  9. Click on Next.
    A summary of the information regarding the CA will be shown.
  10. Confirm by clicking on Finish.

Uploading the CRL on distribution points

  1. Select the CA created earlier.
  2. Click on Download.
  3. Select CRL then the export format (PEM or DER).
    A message will give you the download link.
  4. Download the CRL by clicking on the link, then upload the CRL on each of the CRL distribution points that were specified during the creation of the CA.

Creating the identity of the firewall in DR mode (if it does not exist) and of each peer

For gateway peers

On firewalls in an SNS version that complies with the ANSSI's IPsec DR recommendations:

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Select the CA that signs certificates for DR mode (CA-DR in this example).
  3. Click on Add and select Server identity.
  4. Enter the fully qualified domain name of the corresponding firewall (e.g., FW-Full-DR.stormshield.eu).
    The ID will automatically be filled in with the fully qualified domain name. This name can be changed.
  5. Click on Next.
  6. Enter the password of the CA that signs this server identity (CA-DR in this example).
  7. Click on Next.
  8. Select a validity duration in days (365 days suggested by default).
  9. The key type suggested by default is compatible with DR mode (BRAINPOOL or SECP): this is the key type of the CA that signs the server identity..
  10. The Key size selected must be 256 bits.
  11. Click on Next.
  12. An alias can be added for this peer (optional).

    13. NOTE
    When an alias or Subject Alternative Name (SAN) is defined, it is indicated in the certificate's SubjectAltName field.
    It must be defined by the fully qualified domain name (FQDN) entered in step 4 so that this SAN can be used as the Peer ID. The syntax used is simpler than the one used in the certificate's full subject.

  13. Click on Next.
    A summary of the identity will appear.
  14. Click on Finish to confirm the creation of the server identity.

Repeat the process to create the identity of each peer concerned (gateways).

For mobile peers

On firewalls in an SNS version that complies with the ANSSI's IPsec DR recommendations:

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Select the CA that signs certificates for DR mode (CA-DR in this example).
  3. Click on Add and select User identity.
  4. In the CN field, enter the name of the peer (e.g., John Doe).
    The ID will automatically be filled in with the name of the peer. This name can be changed.
  5. Enter the e-mail address of the peer (john.doe@stormshield.eu in this example).
  6. Click on Next.
  7. Enter the password of the CA that signs this server identity (CA-DR in this example).
  8. Click on Next.
  9. Select a validity duration in days (365 days suggested by default).
  10. The key type suggested by default is compatible with DR mode (BRAINPOOL or SECP): this is the key type of the CA that signs the server identity..
  11. The Key size selected must be 256 bits.
  12. Click on Next.
    A summary of the identity will appear.
  13. Click on Finish to confirm the creation of the user identity.

Repeat the process to create the identity of each mobile peer.

Exporting the identity of each peer to be made DR mode-compatible

On firewalls in an SNS version that complies with the ANSSI's IPsec DR recommendations:

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Select the server identity to export.
  3. Click on Download: select Identity then In P12 format.
  4. In the Enter password field: create a password that will be used to protect the P12 file.
  5. Confirm the password.
  6. Click on Download certificate (P12).
  7. Save this file in P12 format on your workstation.

Repeat the process to export the identity of each peer concerned (gateways and mobile peers).

Importing an identity on each peer to be made DR mode-compatible

On every gateway peer other than the firewall in an SNS version that complies with IPsec DR recommendations:

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Click on Add and select Import a file.
  3. In the Password field (if the file is a PKCS#12 container), enter the password that protects the .P12 file.
  4. Click on Import.

Deleting the private keys of peer identities on the firewall (recommended)

Once the P12 file has been imported on the peer to be made DR mode-compatible, you are strongly advised to delete the private key of this peer's identity.

On the firewall that hosts the CA (e.g., the firewall in an SNS version that complies with IPsec DR recommendations):

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Select the server identity of the peer whose private key you wish to delete.
  3. Click on Action: select Remove private key.
    The private key will then be immediately deleted.

Repeat this procedure for each peer concerned (gateways and mobile peers).

Enabling verification of peer certificate revocation

The Certification authority (CA) that issues the certificates used to authenticate IPsec peers must implement a revocation mechanism (CRLs and CRL distribution points or OCSP servers). In addition, verification of certificates issued by this CA must be enabled on peers. When this parameter is enabled, you must have all the CRLs in the certification chain. Otherwise, the current IPsec policy will be disabled and the error message "Disabling CRL verification is not compatible with DR mode" will appear in the Check policy field found under the IPsec policy grid.

On all peers to which DR mode applies:

  1. Go to Configuration > System > CLI console.
  2. Type the following series of commands:
    CONFIG IPSEC UPDATE slot=x CRLrequired=1
    CONFIG IPSEC CHECK index=1
    CONFIG IPSEC ACTIVATE
    where x represents the number of the IPsec policy to modify.
  3. Click on Run.

Enabling automatic CRL retrieval

On every peer concerned:

  1. Go to Configuration > General configuration tab.
  2. Select the checkbox Enable regular retrieval of certificate revocation lists (CRL).

If the CRL of a peer's CA is not retrieved, tunnels cannot be set up with this peer.