D-Link DFL-1660 Product Manual - Page 129
Certificates in NetDefendOS, Important
UPC - 790069334290
View all D-Link DFL-1660 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 129 highlights
3.7.2. Certificates in NetDefendOS Chapter 3. Fundamentals Validity Time A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued. Important Make sure the NetDefendOS date and time are set correctly when using certificates. Certificate Revocation Lists A Certificate Revocation List (CRL) contains a list of all certificates that have been cancelled before their expiration date. They are normally held on an external server which is accessed to determine if the certificate is still valid. The ability to validate a user certificate in this way is a key reason why certificate security simplifies the administration of large user communities. CRLs are published on servers that all certificate users can access, using either the LDAP or HTTP protocols. Revocation can happen for several reasons. One reason could be that the keys of the certificate have been compromised in some way, or perhaps that the owner of the certificate has lost the rights to authenticate using that certificate, perhaps because they have left the company. Whatever the reason, server CRLs can be updated to change the validity of one or many certificates. Certificates often contain a CRL Distribution Point (CDP) field, which specifies the location from where the CRL can be downloaded. In some cases, certificates do not contain this field. In those cases the location of the CRL has to be configured manually. A CA usually updates its CRL at a given interval. The length of this interval depends on how the CA is configured. Typically, this is somewhere between an hour to several days. Trusting Certificates When using certificates, NetDefendOS trusts anyone whose certificate is signed by a given CA. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate: • Construct a certification path up to the trusted root CA. • Verify the signatures of all certificates in the certification path. • Fetch the CRL for each certificate to verify that none of the certificates have been revoked. Identification Lists In addition to verifying the signatures of certificates, NetDefendOS also employs identification lists. An identification list is a list naming all the remote identities that are allowed access through a specific VPN tunnel, provided the certificate validation procedure described above succeeded. Reusing Root Certificates In NetDefendOS, root certificates should be seen as global entities that can be reused between VPN tunnels. Even though a root certificate is associated with one VPN tunnel in NetDefendOS, it can still be reused with any number of other, different VPN tunnels. 3.7.2. Certificates in NetDefendOS Certificates can be uploaded to NetDefendOS for use in IKE/IPsec authentication, Webauth, etc. 129