- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-13-2024 12:08 PM
The firewall uses a certificate with the role of CA Certificate of Authority to perform SSL Decryption for outbound traffic.
There are three methods to generate this certificate.
The « Block Private Key Export » option on the firewall allows the administrators to prevent rogue admins to export the private key, keeping it security on the firewall.
Let’s see with which method does the « Block Private Key Export » work ?
Method 1
Generate a Self Signed Certificate, to be able to perform SSL Decryption for outbound traffic, check the Certificate Authority option.
To prevent the private key to be exported, check the Block Private Key Export option.
The self signed certificate is generated automatically.
Select the certificate and click on the Export Certficate button.
The firewall does not include the option to export the private key because the Block Private Key Export option is enabled.
Method 2
Generate a Certificate Signing Request CSR using the option Signed by External Autthority (CSR) and check the Block Private Key Export option.
The CSR contains only the Public key, the Private key is kept in the firewall.
The CSR is in the state of pending, waiting to submit it into an external CA.
Click the Export Certificate button to export the CSR.
Access the CA-1 server, and submit the CSR, you need to select the Certificate Template Subordinate Certificate Authority to make this certificate as a CA so that the firewall can use it to sign the spoofed server certificate.
Retrieve the generated certificate from the CA-1 server and click on the Import button. In this scenario, the private key is kept the firewall so you dont need to use the Import Private Key option.
Notice the icon below that indicates that the private key cannot be exported.
But when you try to export the certificate, the firewall displays the option to export the Private key which confirms that the Block Private Key Export option didnt work with this method.
Method 3
Access the CA-2 server command line, generate a certificate with the role CA. The CA-2 server generates the certificate including the public key and the Private key. With this method, you need to import both the certificate and the Private key into the firewall.
Retrieves the Certifcate and the Private key as shown below.
On the firewall, click the Import button, locate the Certificate and the Private key files.
Check the Block Private Key Export option.
Notice the icon below that indicates that the private key cannot be exported. Click the Export Certifcate button.
Notice that the firewall does not allow to export the Private key because the Block Private Key Export enabled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!