>
    Strata Copilot
    Store Private Keys on an HSM
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Secure Keys with a Hardware Security Module
    5. Store Private Keys on an HSM
    Download PDF
    Next-Generation Firewall

    Store Private Keys on an HSM

    Table of Contents

    Store Private Keys on an HSM

    Add an additional layer of security by storing the private keys needed for SSL/TLS decryption on an hardware security module (HSM).
    For added security, you can use a hardware security module (HSM) to secure the private keys used in SSL/TLS decryption for:
    • SSL Forward Proxy—The HSM can store the private key of the Forward Trust certificate that signs certificates in SSL/TLS forward proxy operations. The firewall will then send the certificates that it generates during such operations to the HSM for signing before forwarding the certificates to the client.
    • SSL Inbound Inspection—The HSM can store the private keys for the internal servers for which you are performing SSL/TLS inbound inspection.
    If you use the DHE or ECDHE key exchange algorithms to enable perfect forward secrecy (PFS) support for SSL decryption, you can use an HSM to store the private keys for SSL Inbound Inspection. You can also use an HSM to store ECDSA keys used for SSL Forward Proxy or SSL Inbound Inspection.
    • (PAN-OS 11.1 and earlier) PAN-OS supports SSL Forward Proxy decryption with HSM for TLSv1.3 sessions. SSL Inbound Inspection occurs over TLSv1.2 even if both client and server support TLSv1.3.
    • (PAN-OS 11.2) PAN-OS supports SSL Forward Proxy and SSL Inbound Inspection with HSMs for TLSv1.3 sessions. To turn on this support for SSL Inbound Inspection, use the set ssl inbound-inspection tls1.3-with-hsm enable yes CLI command.
    1. On the HSM, import or generate the certificate and private key used in your decryption deployment.
      For instructions on importing or generating a certificate and private key on the HSM, refer to your HSM documentation.
    2. (Entrust nShield) Synchronize the key data from the nShield remote file system to the firewall.
      Synchronization with the SafeNet Network HSM is automatic.
      1. Access the firewall web interface and select DeviceSetupHSM.
      2. Synchronize with Remote Filesystem (Hardware Security Operations settings).
    3. Import the certificate that corresponds to the HSM-stored key.
      1. Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later). Select Import.
      2. Enter the Certificate Name.
      3. Browse to the Certificate File on the HSM.
      4. Select a File Format.
      5. Select Private Key resides on Hardware Security Module.
      6. Click OK and Commit your changes.
    4. (Forward Trust certificates only) Enable the certificate for use in SSL/TLS Forward Proxy.
      1. Open the certificate you imported in Step 3 for editing.
      2. Select Forward Trust Certificate.
      3. Click OK and Commit your changes.
    5. Verify that you successfully imported the certificate onto the firewall.
      Locate the certificate you imported in Step 3 and check the icon in the Key column:
      • Lock icon—The private key for the certificate is on the HSM.
      • Error icon—The private key is not on the HSM or the HSM is not properly authenticated or connected.

    © 2026 Palo Alto Networks, Inc. All rights reserved.