CERTIFICATES AND PKI

PKI or Public Key Infrastructure is a cryptographic system based on asymmetric cryptography. It uses signatures and certifies public keys which make it possible to encrypt and sign messages or traffic in order to ensure confidentiality, authentication, integrity and non-repudiation.

The Stormshield Network PKI allows you to generate or import digital identities of trusted authorities (known as CAs or certification authorities), servers or users. With it, you can sign certificates, which contain a public key associated with information that may belong to a user, a server, etc. The aim of Stormshield Network’s PKI is to authenticate these entities.

In the rest of this manual, the term "identity" refers to the concept of a digital identity.

When the SSL VPN feature is used, the certification authority “sslvpn-full-default-authority” includes a server identity “openvpnserver” and a user identity “openvpnclient”. This allows the client and the Stormshield Network firewall’s SSL VPN service to identify each other without relying on an external authority.

When the firewall has a TPM (Trusted Platform Module) that is designed to protect private keys in some of the firewall's certificates, and the TPM is not initialized, a TPM initialization window will appear when the Certificates and PKI module opens. For more information on the TPM, see the section Trusted Platform Module.


The window of the Certificates and PKI module consists of three sections:

  • At the top of the screen, the various possible operations in the form of a search bar and buttons,
  • On the left, the list of authorities, identities and certificates,
  • On the right, details regarding the authority, identity or certificate selected beforehand from the list on the left, as well as information regarding the Certificate Revocation List (CRL) and the configuration of the authority or sub-authority.

The firewall's health indicator (in the upper banner of the web administration interface when there is an issue) uses probes that track validity dates and the statuses of certificates and CRLs of certification authorities used in the configuration. The of the indicator specifies a status:

  • For certificates:

    • Critical: the certificate has been revoked (by a certification authority) or has expired,

    • Not critical: the certificate will expire in less than 30 days or it is not yet valid,

    • Optimal: the certificate does not present any critical characteristics.

  • For CRLs:

    • Critical: the CRL of the CA has expired,

    • Not critical: the certificate will expire in less than 30 days or it is not yet valid,

    • Optimal: the CRL does not present any critical characteristics.