For added security, you can use an HSM to
secure the private keys used in SSL/TLS decryption for:
Forward Proxy—The HSM can store the private key of the Forward
Trust certificate that signs certificates in SSL/TLS forward proxy
operations. The firewall will then send the certificates that it
generates during such operations to the HSM for signing before forwarding
the certificates to the client.
Inbound Inspection—The HSM can store the private keys for
the internal servers for which you are performing SSL/TLS inbound
If you use the DHE or ECDHE key
exchange algorithms to enable Perfect
Forward Secrecy (PFS) Support for SSL Decryption, you cannot
use an HSM to store the private keys for SSL Inbound Inspection.
You also cannot use an HSM to store ECDSA keys used for Forward
Proxy or Inbound Inspection decryption.
On the HSM, import or generate the certificate
and private key used in your decryption deployment.
For instructions on importing or generating a certificate
and private key on the HSM, refer to your HSM documentation.
Thales nShield Connect only
) Synchronize the
key data from the Thales nShield remote file system to the firewall.
Synchronization with the SafeNet Network HSM is automatic.
Access the firewall web interface and select
Synchronize with Remote Filesystem
the Hardware Security Operations section.
the certificate that corresponds to the HSM-stored key onto the
on the HSM.
Private Key resides on Hardware
Forward Trust certificates only
) Enable the
certificate for use in SSL/TLS Forward Proxy.
Open the certificate you imported in Step 3 for editing.
Forward Trust Certificate
Verify that you successfully imported the certificate
onto the firewall.
Locate the certificate you imported in Step 3 and check the icon in the Key column:
—The private key for the certificate is on the
—The private key is not on the HSM or the HSM
is not properly authenticated or connected.