D-Link DFL-260E User Manual for DFL-260E - Page 149
Important: The system date and time must be correct, Validity Time, The NetDefendOS Certificate Cache
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 149 highlights
3.8.1. Overview Chapter 3. Fundamentals A CA can also issue certificates to other CAs. This leads to a chain-like certificate hierarchy. The highest certificate is called the Root Certificate and it is signed by the Root CA. Each certificate in the chain is signed by the CA of the certificate directly above it in the chain. However, the root certificate is signed by itself (it is "self-signed"). Certificates in the chain between the root certificate and the end certificate are called Intermediate Certificates. A Certification Path refers to the path of certificates from one certificate to another. When verifying the validity of a user certificate, the entire path from the user certificate up to the trusted root certificate has to be examined before establishing the validity of the user certificate. The CA certificate is just like any other certificates, except that it allows the corresponding private key to sign other certificates. Should the private key of the CA be compromised, the whole CA, including every certificate it has signed, is also compromised. In NetDefendOS, the maximum length of a certificate chain is 4. In VPN scenarios with roaming clients, the client's certificate will be the bottom of a certificate chain. Validity Time A certificate is not valid forever. Each certificate contains values for two points in time between which the certificate is valid. When this validity period expires, the certificate can no longer be used and a new certificate must be issued. Important: The system date and time must be correct Make sure the NetDefendOS system date and time are set correctly when using certificates. Problems with certificates, for example in VPN tunnel establishment, can be due to an incorrect system date or time. The NetDefendOS Certificate Cache NetDefendOS maintains a Certificate Cache in local memory which provides processing speed enhancement when certificates are being repeatedly accessed. This cache is only completely cleared and initialized when NetDefendOS is restarted. For this reason, it is important to restart NetDefendOS if any certificates are added, modified or deleted. This can be done with the CLI command: gw-world:/> shutdown Certificate Revocation Lists A Certificate Revocation List (CRL) contains a list of all certificates that have been canceled before their expiration date. They are normally held on an external server which is accessed to determine if the certificate is still valid. The ability to validate a user certificate in this way is a key reason why certificate security simplifies the administration of large user communities. CRLs are published on servers that all certificate users can access, using either the LDAP or HTTP protocols. Revocation can happen for several reasons. One reason could be that the keys of the certificate have been compromised in some way, or perhaps that the owner of the certificate has lost the rights to authenticate using that certificate, perhaps because they have left the company. Whatever the reason, server CRLs can be updated to change the validity of one or many certificates. Certificates often contain a CRL Distribution Point (CDP) field, which specifies the location from where the CRL can be downloaded. In some cases, certificates do not contain this field. In those cases the location of the CRL has to be configured manually. A CA usually updates its CRL at a given interval. The length of this interval depends on how the 149