D-Link DFL-2500 User Guide - Page 69
Validity Time, Certificate Revocation Lists CRL, Trusting Certificates
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 69 highlights
50 Chapter 8. Logical Objects from the user certificate up to the trusted root certificate has to be examined before establishing the validity of the user certificate. The CA certificate is just like any other certificates, except that it allows the corresponding private key to sign other certificates. Should the private key of the CA be compromised, the whole CA, including every certificate it has signed, is also compromised. Validity Time A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued. Certificate Revocation Lists (CRL) A certificate revocation list (CRL) contains a list of all certificates that has been cancelled before their expiration date. This can happen for several reasons. One reason could be that the keys of the certificate have been compromised in some way, or perhaps that the owner of the certificate has lost the rights to authenticate using that certificate. This could happen, for instance, if an employee has left the company from whom the certificate was issued. A CRL is regularly published on a server that all certificate users can access, using either the LDAP or HTTP protocols. Certificates often contain a CRL Distribution Point (CDP) field, which specifies the location from where the CRL can be downloaded. In some cases certificates do not contain this field. In those cases the location of the CRL has to be configured manually. See 22.1.4, LDAP . The CA updates its CRL at a given interval. The length of this interval depends on how the CA is configured. Typically, this is somewhere between an hour to several days. Trusting Certificates When using certificates, the firewall trusts anyone whose certificate is signed by a given CA. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate: - Construct a certification path up to the trusted root CA. D-Link Firewalls User's Guide