Understand the "Block Private Key Export" option with three scenarios

rmeddane — Sat, 13 Jan 2024 15:18:29 GMT

The firewall uses a certificate with the role of CA Certificate of Authority to perform SSL Decryption for outbound traffic.

There are three methods to generate this certificate.

Method 1 : You can use a self-signed certificate. The firewall will generate a Certificate with the Public / Private keys automatically without involving an external CA.

Method 2 : Using an external CA. The firewall generates a CSR Certificate Signed Request with the Public/Private keys, then you submit only the CSR / Public key, while the Private key is kept on the firewall, finally you upload the generate certificate with the embedded Public key.

Method 3 : Using an external CA. You generate the CSR or the certifcate with the Public / Private keys. Then you upload the Certificate with the Public / Private Key.

The « Block Private Key Export » option on the firewall allows the administrators to prevent rogue admins to export the private key, keeping it security on the firewall.

Let’s see with which method does the « Block Private Key Export » work ?

Method 1

Generate a Self Signed Certificate, to be able to perform SSL Decryption for outbound traffic, check the Certificate Authority option.

To prevent the private key to be exported, check the Block Private Key Export option.

The self signed certificate is generated automatically.

Select the certificate and click on the Export Certficate button.

The firewall does not include the option to export the private key because the Block Private Key Export option is enabled.

Method 2

Generate a Certificate Signing Request CSR using the option Signed by External Autthority (CSR) and check the Block Private Key Export option.

The CSR contains only the Public key, the Private key is kept in the firewall.

The CSR is in the state of pending, waiting to submit it into an external CA.

Click the Export Certificate button to export the CSR.

Access the CA-1 server, and submit the CSR, you need to select the Certificate Template Subordinate Certificate Authority to make this certificate as a CA so that the firewall can use it to sign the spoofed server certificate.

Retrieve the generated certificate from the CA-1 server and click on the Import button. In this scenario, the private key is kept the firewall so you dont need to use the Import Private Key option.

Notice the icon below that indicates that the private key cannot be exported.

But when you try to export the certificate, the firewall displays the option to export the Private key which confirms that the Block Private Key Export option didnt work with this method.

Method 3

Access the CA-2 server command line, generate a certificate with the role CA. The CA-2 server generates the certificate including the public key and the Private key. With this method, you need to import both the certificate and the Private key into the firewall.

Retrieves the Certifcate and the Private key as shown below.

On the firewall, click the Import button, locate the Certificate and the Private key files.

Check the Block Private Key Export option.

Notice the icon below that indicates that the private key cannot be exported. Click the Export Certifcate button.

Notice that the firewall does not allow to export the Private key because the Block Private Key Export enabled.

topic Understand the "Block Private Key Export" option with three scenarios in Next-Generation Firewall Discussions

Understand the "Block Private Key Export" option with three scenarios