ECDSA Certificate Support for SSL Decryption with HSMs

Firewalls support ECDSA certificates for SSL forward proxy and inbound inspection decryption in environments that use HSMs to store ECDSA certificates and keys.
If you use Elliptic Curve Digital Signature Algorithm (ECDSA) certificates for SSL decryption, you can now securely store your elliptic curve private keys on a third-party network HSM. This means the firewall can import or generate an ECDSA certificate when you enable the Private key resides on Hardware Security Module option so that the firewall can get the ECDSA key from the HSM to decrypt traffic between a client and server. Prior to PAN-OS 8.1, you could not store ECDSA certificates on an HSM.
private-key-resides-on-hsm.png
HSM support for ECDSA certificates applies to SSL decryption in both forward proxy and inbound inspection modes.
At the start of a TLS handshake, the firewall checks the HSM connection. If the HSM connection fails at the start of a session, the firewall blocks or allows the session depending on whether you enabled the Block session if HSM not available option. However, when the HSM connection fails in the middle of a session, the firewall will block the session.
block-session-if-hsm-not-available.png

Related Documentation