CERTIFICATES AND PKI

PKI or Public Key Infrastructure is a cryptographic system based on asymmetric cryptography. It uses signatures and certifies public keys which make it possible to encrypt and sign messages or traffic in order to ensure confidentiality, authentication, integrity and non-repudiation.

The Stormshield Network PKI allows you to generate or import digital identities of trusted authorities (known as CAs or certification authorities), servers or users. With it, you can sign certificates, which contain a public key associated with information that may belong to a user, a server, etc. The aim of Stormshield Network’s PKI is to authenticate these entities.

In the rest of this manual, the term "identity" refers to the concept of a digital identity.

When the SSL VPN feature is used, the certification authority “sslvpn-full-default-authority” includes a server identity “openvpnserver” and a user identity “openvpnclient”. This allows the client and the Stormshield Network firewall’s SSL VPN service to identify each other without relying on an external authority.

When the firewall has a TPM (Trusted Platform Module) that is used to securely store certificates, keys, configuration backup files, etc., and the TPM has not been initialized (its administration password has not yet been created), a TPM initialization window will appear when the Certificates and PKI module is opened. For further information regarding the TPM module, refer to the section Trusted Platform Module (TPM).


The window of the Certificates and PKI module consists of three sections:

  • At the top of the screen, the various possible operations in the form of a search bar and buttons.
  • On the left, the list of authorities, identities and certificates.
  • On the right, details regarding the authority, identity or certificate selected beforehand from the list on the left, as well as information regarding the Certificate Revocation List (CRL) and the configuration of the authority or sub-authority.

The firewall's health indicator (in the upper banner of the web administration interface when there is an issue) uses probes that track validity dates and the statuses of certificates and certificate authorities used in the configuration. These probes report anomalies in the following cases:

  • Certificate expiring in fewer than 30 days,
  • Certificate with a validity period in the future,
  • Certificate expired,
  • Certificate revoked,
  • CRL of a CA that has exceeded half of its lifetime or which will be reaching it in fewer than 5 days,
  • CRL of an expired CA.