Protecting private keys in SNS firewall certificates

This chapter explains how to protect the private key in the SNS firewall's certificate with the TPM.

Protecting the private key of a certificate that has already been added

From the web administration interface

This use case is exclusive to SNS 4.7 and higher versions.

  1. In Configuration > Objects > Certificates and PKI, select the certificate (identity) in question.
  2. Click on Actions > Protect with the TPM.
  3. Click on OK.

From the CLI console

  1. Run the following command to show the certification authorities:

    PKI CA LIST

  2. If required, show the list of intermediate certification authorities that signed the root authority in question (<RootCA> in the command) with:

    PKI CA LIST CANAME=<RootCA>

  3. Show the certificates issued by the certification authority (<CA> in the command) with:

    PKI CERT LIST CANAME=<CA>

  4. Protect the private key of the certificate in question (<CERTNAME> in the command) with:

    PKI CERT PROTECT CANAME=<CA> NAME=<CERTNAME> tpm=ondisk

  5. Apply the new configuration with:

    PKI ACTIVATE

From the SMC server

For further information, refer to the section Enabling TPM protection on existing private keys in the SMC administration guide..

Adding a certificate and protecting its private key

From the web administration interface

  1. In Configuration > Objects > Certificates and PKI, click on Add and select the certificate (identity) to add.

  2. Fill out the requested information. For SNS 4.3 LTSB versions and SNS 4.7 and higher versions, select the checkbox Protect this identity with the TPM during the relevant steps.

  3. Click on Finish.
  4. For SNS 3.11 LTSB versions, protect the private key of the certificate from the CLI console.

For more information, refer to the section on Certificates and PKI in the v4 or v3 user guide of the SNS version used.

From the CLI console

  1. Run the following command, by using the tpm=ondisk token:

    PKI CERT CREATE

    If required, show command help with:

    PKI CERT CREATE HELP

  2. Next, apply the new configuration with:

    PKI ACTIVATE

From the SMC server

You can import certificates (identities) on the SMC server and declare them on the SNS firewall. For more information, refer to the section Importing or declaring a certificate for a firewall in the SMC administration guide.

By default, the private keys of certificates that the SMC server declared on the SNS firewall are protected by the TPM if it has been initialized. To change the default setting, refer to the section Disabling TPM private key protection in the SMC administration guide..

Importing a certificate and protecting its private key

From the web administration interface

  1. In Configuration > Objects > Certificates and PKI, click on Add > Import a file.

  2. Fill out the requested information. For SNS 4.3 LTSB versions and SNS 4.7 and higher versions, select the checkbox Protect this identity with the TPM.

  3. Click on Import.
  4. For SNS 3.11 LTSB versions, protect the private key of the certificate from the CLI console.

For more information, refer to the section on Certificates and PKI in the v4 or v3 user guide of the SNS version used.

From the SMC server

You can import certificates (identities) on the SMC server and declare them on the SNS firewall. For more information, refer to the section Importing or declaring a certificate for a firewall in the SMC administration guide.

By default, the private keys of certificates that the SMC server declared on the SNS firewall are protected by the TPM if it has been initialized. To change the default setting, refer to the section Disabling TPM private key protection in the SMC administration guide..