Store Private Keys on an HSM
For added security, you can use an HSM to secure the private keys used in SSL/TLS decryption for:
- SSL Forward Proxy—The HSM can store the private key of the Forward Trust certificate that signs certificates in SSL/TLS forward proxy operations. The firewall will then send the certificates that it generates during such operations to the HSM for signing before forwarding the certificates to the client.
- SSL Inbound Inspection—The HSM can store the private keys for the internal servers for which you are performing SSL/TLS inbound inspection.
If you use the DHE or ECDHE key exchange algorithms to enable perfect forward secrecy (PFS) support for SSL decryption, you can use an HSM to store the private keys for SSL Inbound Inspection. You can also use an HSM to store ECDSA keys used for SSL Forward Proxy or SSL Inbound Inspection decryption.
- On the HSM, import or generate the certificate
and private key used in your decryption deployment.For instructions on importing or generating a certificate and private key on the HSM, refer to your HSM documentation.
- (Thales nShield Connect only) Synchronize the
key data from the Thales nShield remote file system to the firewall.Synchronization with the SafeNet Network HSM is automatic.
- Access the firewall web interface and select DeviceSetupHSM.
- Synchronize with Remote Filesystem (Hardware Security Operations settings).
the certificate that corresponds to the HSM-stored key.
- Select DeviceCertificate ManagementCertificatesDevice Certificates and click Import.
- Enter the Certificate Name.
- Browse to the Certificate File on the HSM.
- Select a File Format.
- Select Private Key resides on Hardware Security Module.
- Click OK and Commit your changes.
- (Forward Trust certificates only) Enable the
certificate for use in SSL/TLS Forward Proxy.
- Open the certificate you imported in Step 3 for editing.
- Select Forward Trust Certificate.
- Click OK and Commit your changes.
- Verify that you successfully imported the certificate
onto the firewall.Locate the certificate you imported in Step 3 and check the icon in the Key column:
- Lock icon—The private key for the certificate is on the HSM.
- Error icon—The private key is not on the HSM or the HSM is not properly authenticated or connected.
ECDSA Certificate Support for SSL Decryption with HSMs
Firewalls support ECDSA certificates for SSL forward proxy and inbound inspection decryption in environments that use HSMs to store ECDSA certificates and keys. ...
Secure Keys with a Hardware Security Module
Secure Keys with a Hardware Security Module A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure storage ...
Keys and Certificates for Decryption Policies
Decryption requires keys and certificates to establish trust between a client and a server so the firewall can decrypt encrypted traffic. ...
Keys and Certificates
Keys and Certificates To ensure trust between parties in a secure communication session, Palo Alto Networks firewalls and Panorama use digital certificates. Each certificate contains ...
Certificate Management The following topics describe the different keys and certificates that Palo Alto Networks® firewalls and Panorama use, and how to obtain and manage ...
Decryption Overview The Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption protocols secure traffic between two entities, such as a web server and a ...
Manage Firewall and Panorama Certificates
Manage Firewall and Panorama Certificates Device > Certificate Management > Certificates > Device Certificates Panorama > Certificate Management > Certificates Select Device Certificate Management Certificates ...
Create the Data Center Best Practice Decryption Profiles
Decryption Profiles define the SSL Protocol settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. ...