Using certificates with TPM-protected private keys

This chapter sums up the situations in which you can use certificates with TPM-protected private keys:

SSL/TLS decryption (web administration interface and captive portal)

This use case is exclusive to SNS 4.7 and higher versions.

The private key in the certificate presented by the firewall's web administration interface and its captive portal can be protected by the TPM.

IMPORTANT
Keep in mind that you will no longer be able to access these interfaces if the private key in the certificate that is used can no longer be decrypted.

To check/change the certificate used:

  1. Go to Configuration > Users > Authentication, Captive portal tab, SSL server section.
  2. In the Certificate (private key) field, select the desired certificate. The icon indicates certificates with a TPM-protected private key.

  3. Apply changes.

The connection to the web administration interface will then be lost. Depending on the certificate used, a warning message may appear when you go back to the authentication page You can proceed to the website.

SSL VPN

This use case is exclusive to SNS 4.7 and higher versions.

The SSL VPN service on the SNS firewall and the VPN client present certificates (server and client) to set up tunnels.

To check/change the certificates used:

  1. Go to Configuration > VPN > SSL VPN, Advanced properties area, Used certificates section.
  2. Select the desired certificates in the relevant fields. They must be issued from the same certification authority.

    • In the Server certificate field, the icon indicates certificates with a TPM-protected private key.

    • In the Client certificate field, you cannot select certificates that have TPM-protected private keys. This is because the private keys of such certificates must be available in plaintext (unencrypted) in the VPN configuration that is distributed to VPN clients.

  3. Apply changes.
  4. If you are using the Stormshield VPN SSL client in automatic mode, the VPN configuration will automatically be retrieved at the next connection. For all other use cases, the configuration must be imported again manually (.ovpn file). For more information, refer to the technical note Configuring and using the SSL VPN on SNS firewalls.

IPsec VPN

The private key of the certificate that is presented to set up IPsec tunnels in a certificate authentication can be protected by the TPM.

To check/change the certificate used:

  1. Go to Configuration > VPN > IPsec VPN > Peers tab.
  2. Select the peer used in the VPN configuration from the grid.

  3. In the Identification section, Certificate field, select the desired certificate. The icon indicates certificates with a TPM-protected private key.

    In configurations that use the IKEv1 IPsec VPN tunnel manager, tunnels will no longer be set up if the private key in the certificate used is protected by the TPM.

  4. Apply changes.

You can also select the certificate when adding peers (remote gateway or mobile peer with certificate authentication).

Internal LDAP

This use case is exclusive to SNS 4.7 and higher versions.

The private key of the certificate that is used for authentication to the internal LDAP directory can be protected by the TPM.

To check/change the certificate used:

  1. Go to Configuration > Users > Directory configuration.
  2. Select the internal LDAP directory from the grid.

  3. In Access to the internal LDAP, SSL certificate issued by the server field, select the desired certificate. The icon indicates certificates with a TPM-protected private key.

  4. Apply changes.

Communications with the SMC server

This use case is exclusive to SNS 4.7 and higher versions.

The private key of the certificate that is used for communications with the SMC server can be protected by the TPM. Do note that If the firewall is already connected to an SMC server when the TPM is initialized, the private key of the certificate that is used for communications with the SMC server will have been automatically protected.

IMPORTANT
Keep in mind that communications with the SMC server will no longer function if the private key in the certificate that is used can no longer be decrypted.

To protect the private key of this certificate:

  1. Go to Configuration > System > Management Center.
  2. Under TPM, click on Protect the SMC agent.

    If the button Unprotect the SMC agent appears, this means that the private key is already protected.

  3. Confirm changes.

Sending logs to a TLS syslog server

This use case is exclusive to SNS 4.7 and higher versions.

The private key in the server and client certificates that are used for authentication to a TLS syslog server (TLS protocol) can be protected by the TPM.

To check/change the certificates used:

  1. Go to Configuration > Notifications > Logs – Syslog - IPFIX, Syslog tab.
  2. Select the profile of the syslog server that you wish to modify from the grid.
  3. In the profile details, select the signing certification authority and the desired certificates in the relevant fields. The icon indicates certificates with a TPM-protected private key.

    If required, you can create a TPM-protected client identity and server identity beforehand in Configuration > Objects > Certificates and PKI and select them here.

  4. Apply changes.
  5. Ensure that the syslog server has the selected client certificate. You can export the certificate as a P12 file in Configuration > Objects > Certificates and PKI.