1. Home
    2. PAN-OS
    3. PAN-OS® Administrator's Guide
    4. Certificate Management
    5. Secure Keys with a Hardware Security Module
    6. Store Private Keys on an HSM

    Store Private Keys on an HSM

    For added security, you can use an HSM to secure the private keys used in SSL/TLS decryption for:
    • SSL Forward Proxy—The HSM can store the private key of the Forward Trust certificate that signs certificates in SSL/TLS forward proxy operations. The firewall will then send the certificates that it generates during such operations to the HSM for signing before forwarding the certificates to the client.
    • SSL Inbound Inspection—The HSM can store the private keys for the internal servers for which you are performing SSL/TLS inbound inspection.
    If you use the DHE or ECDHE key exchange algorithms to enable Perfect Forward Secrecy (PFS) Support for SSL Decryption, you cannot use an HSM to store the private keys for SSL Inbound Inspection. You also cannot use an HSM to store ECDSA keys used for Forward Proxy or Inbound Inspection decryption.
    1. On the HSM, import or generate the certificate and private key used in your decryption deployment.
      For instructions on importing or generating a certificate and private key on the HSM, refer to your HSM documentation.
    2. (
      Thales nShield Connect only
      ) Synchronize the key data from the Thales nShield remote file system to the firewall.
      Synchronization with the SafeNet Network HSM is automatic.
      1. Access the firewall web interface and select
        Device
        Setup
        HSM
        .
      2. Select
        Synchronize with Remote Filesystem
         in the Hardware Security Operations section.
    3. Import the certificate that corresponds to the HSM-stored key onto the firewall.
      1. Select
        Device
        Certificate Management
        Certificates
        Device Certificates
         and click
        Import
        .
      2. Enter the
        Certificate Name
        .
      3. Browse
         to the
        Certificate File
         on the HSM.
      4. Select a
        File Format
        .
      5. Select
        Private Key resides on Hardware Security Module
        .
      6. Click
        OK
         and
        Commit
        .
    4. (
      Forward Trust certificates only
      ) Enable the certificate for use in SSL/TLS Forward Proxy.
      1. Open the certificate you imported in Step 3 for editing.
      2. Select
        Forward Trust Certificate
        .
      3. Click
        OK
         and
        Commit
        .
    5. Verify that you successfully imported the certificate onto the firewall.
      Locate the certificate you imported in Step 3 and check the icon in the Key column:
      • Lock icon
        —The private key for the certificate is on the HSM.
      • Error icon
        —The private key is not on the HSM or the HSM is not properly authenticated or connected.

    Related Documentation

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo