Preventing the export of SSL server certificates and private keys
The bulk export feature on the Optimization > SSL: Advanced Settings page allows you to export SSL server certificates and private keys. You can also select SSL server certificates for export individually under Optimization > SSL: SSL Main Settings. These features are useful to back up SSL configurations or move them to another appliance; however, security-conscious organizations might want to make SSL configurations nonexportable. You can ensure a secure SSL deployment by preventing your SSL server certificates and private keys from leaving the appliance.
Consider making SSL server certificates and private keys nonexportable with your particular security goals in mind. Before doing so, you must have a thorough understanding of its impact. Use caution and consider these limitations before making SSL configurations nonexportable:
• After disabling export on an appliance, you cannot reenable it unless you perform a factory reset on the appliance (losing the configuration) or clear the secure vault.
• After disabling export, you cannot export any preexisting or newly added server certificates and private keys to another appliance.
• After disabling export, any newly added server certificates and keys are marked as nonexportable.
• After disabling export and then downgrading a SteelHead to a previous RiOS version, you cannot export any of the existing server certificates and private keys. You can export any newly added server certificates and private keys.
• Disabling export prevents the copy of the secure vault content.
Under SSL Server Certificate Export Settings, click Disable Exporting of SSL Server Certificates.
The system reminds you that disabling export cannot be undone.
Click Disable Export.