For added security, you can use an HSM to
secure the private keys used in SSL/TLS decryption for:
SSL Forward Proxy—The HSM
can store the private key of the Forward Trust certificate that
signs certificates in SSL/TLS forward proxy operations. The firewall
will then send the certificates that it generates during such operations
to the HSM for signing before forwarding the certificates to the
SSL Inbound Inspection—The HSM
can store the private keys for the internal servers for which you
are performing SSL/TLS inbound inspection.
On the HSM, import or generate the certificate
and private key used in your decryption deployment.
For instructions on importing or generating a certificate
and private key on the HSM, refer to your HSM documentation.
nCipher nShield Connect only
) Synchronize the
key data from the nShield Connect remote file system to the firewall.
Synchronization with the SafeNet Network HSM is automatic.
Access the firewall web interface and select
Synchronize with Remote Filesystem
the Hardware Security Operations section.
the certificate that corresponds to the HSM-stored key onto the
Private Key resides on Hardware
Forward Trust certificates only
) Enable the
certificate for use in SSL/TLS Forward Proxy.
Open the certificate you imported in the
previous step for editing.
Forward Trust Certificate
Verify that you successfully imported the certificate
onto the firewall.
Locate the certificate you imported and check the icon
in the Key column:
Lock icon—The private key for the
certificate is on the HSM.
Error icon—The private key is not on the HSM or the HSM is not
properly authenticated or connected.