Using certificates with TPM-protected private keys

This section explains how to use certificates with TPM-protected private keys in the configuration of an SNS firewall.

SSL/TLS decryption (web administration interface and captive portal)

This use case is exclusive to SNS 4.8.7 and higher versions.

The private key in the certificate presented by the web administration interface and the SNS firewall's captive portal can be protected by the TPM.

To check/change the certificate used:

  1. Go to Configuration > Users > Authentication, Captive portal tab, SSL server section.
  2. In the Certificate (private key) field, select the desired certificate. The icon indicates certificates with a TPM-protected private key.

  3. Apply changes.

    The connection to the web administration interface will be lost. A warning message may appear when you go back to the authentication page. You can proceed to the website.

NOTE
In the future, if access to the TPM is denied, the private key of the selected certificate can no longer be decrypted. However, a backup certificate will be used to maintain the access to the web administration interface.
On higher versions of 4.8.7 and 4.8.x, this is the default certificate in the factory configuration, which corresponds to the SNS firewall's serial number. On versions 5 in factory configuration, the certificate is self-generated for this access.

SSL VPN

This use case is exclusive to SNS 4.8.7 and higher versions.

The private key of the server certificate that is presented by the SNS firewall SSL VPN service can be protected by the TPM.

To check/change the certificate used:

  1. Go to Configuration > VPN > SSL VPN, Advanced properties area, Certificates section.

  2. In the Server certificate field, select the desired certificate. The icon indicates certificates with a TPM-protected private key. The selected certificate must be issued from the same certification authority as the one for the client certificate.

  3. In the Client certificate field, you cannot select certificates that have TPM-protected private keys. This is because the private keys of such certificates must be available in plaintext (unencrypted) in the VPN configuration that is distributed to VPN clients.

  4. Apply changes.

    If you are using the Stormshield VPN SSL client in automatic mode, the VPN configuration will automatically be retrieved at the next connection. For all other use cases, the VPN configuration must be imported again (.ovpn file). For more information, refer to the technical note Configuring and using the SSL VPN on SNS firewalls.

IPsec VPN

The private key of the certificate that is presented to set up IPsec tunnels in a certificate authentication can be protected by the TPM.

To check/change the certificate used:

  1. Go to Configuration > VPN > IPsec VPN > Peers tab.
  2. In the grid, select the peer that was used in the VPN configuration.

  3. In the Identification section, Certificate field, select the desired certificate. The icon indicates certificates with a TPM-protected private key.

    NOTE
    In configurations using the IPsec IKEv1 VPN tunnel manager, do not choose a certificate with a TPM-protected private key, as tunnels will no longer be able to set up.

  4. Apply changes.

Internal LDAP

This use case is exclusive to SNS 4.8.7 and higher versions.

The private key of the certificate that is used for authentication to the internal LDAP directory can be protected by the TPM.

To check/change the certificate used:

  1. Go to Configuration > Users > Directory configuration.

  2. Select the internal LDAP directory from the grid.

  3. In Access to the internal LDAP, SSL certificate issued by the server field, select the desired certificate. The icon indicates certificates with a TPM-protected private key.

  4. Apply changes.

Communications with the SMC server

This use case is exclusive to SNS 4.8.7 and higher versions.

The private key of the certificate that is used for communications with the SMC server can be protected by the TPM. If the firewall is already connected to an SMC server when the TPM is initialized, the private key of the certificate that is used for communications with the SMC server will have been automatically protected.

IMPORTANT
In the future, if access to the TPM is denied, the private key of the certificate that was used can no longer be decrypted, and communications with the SMC server will no longer function.

To check/protect the certificate used:

  1. Go to Configuration > System > Management Center.

  2. Under TPM, click on Protect the SMC agent.

    If the button Unprotect the SMC agent appears, this means that the private key is already protected.

  3. Confirm changes.

Sending logs to a TLS syslog server

This use case is exclusive to SNS 4.8.7 and higher versions.

The private key of the certificate that is presented by the SNS firewall to authenticate on the Syslog server can be protected by the TPM.

To check/change the certificate used:

  1. Go to Configuration > Notifications > Logs – Syslog - IPFIX, Syslog tab.
  2. Select the profile of the syslog server that you wish to modify from the grid. The details of the profile appear on the right.
  3. In the Certification authority field, select the certification authority (CA) that signed the certificates that the SNS firewall and Syslog server will present in order to authenticate mutually.

  4. In the Server certificate field, select the certificate that the Syslog server will need to present in order to authenticate on the SNS firewall. You cannot select a certificate with a TPM-protected private key.

  5. In the Client certificate field, select the certificate that the SNS firewall will need to present in order to authenticate on the Syslog server. The icon indicates certificates with a TPM-protected private key.

  6. Apply changes.
  7. Ensure that the syslog server has the selected client certificate. You can export the certificate as a P12 file in Configuration > Objects > Certificates and PKI.