Uploading And Using Certificates - D-Link NetDefendOS User Manual

• Fetch the CRL for each certificate to verify that none of the certificates have been revoked.
ID Lists
In addition to verifying the signatures of certificates, NetDefendOS can also use an ID list object
when authenticating a connecting IPsec client. An ID list contains all IDs that are allowed access
through a specific IPsec tunnel. An ID is sent by the peer during the IKE negotiation and if a
matching tunnel is found with this remote ID, authentication is then performed by checking to
see if the certificate sent by the client contains that ID.
Using IPsec ID lists with certificates is described further in Section 9.3.8, "Using ID Lists with
Certificates".
Reusing Root Certificates
In NetDefendOS, root certificates should be seen as global entities that can be reused between
VPN tunnels. Even though a root certificate is associated with one VPN tunnel in NetDefendOS, it
can still be reused with any number of other, different VPN tunnels.
Other Considerations
A number of other factors should be kept in mind when using certificates:
• If Certificate Revocation Lists (CRLs) are used then the CRL distribution point is defined as an
FQDN (for example, caserver.example.com) which must be resolved to an IP address using a
public DNS server. At least one DNS server that can resolve this FQDN should therefore be
defined in NetDefendOS.
The CRL distribution point can be contained in the certificate but NetDefendOS provides the
ability to associate alternative CRL distribution points a certificate. This is described further in
Section 3.9.3, "CRL Distribution Point Lists".
• Do not get the Host Certificate files and Root Certificate files mixed up. Although it is not
possible to use a Host Certificate in NetDefendOS as a Root Certificate, it is possible to
accidentally use a Host Certificate as a Root Certificate.
• Host certificates have two files associated with them and these have the filetypes .key file and
.cer. The filename of these files must be the same for NetDefendOS to be able to use them.
For example, if the certificate is called my_cert then the files my_cert.key and my_cert.cer.

3.9.2. Uploading and Using Certificates

Certificate File Uploading
Certificate files can be uploaded to NetDefendOS in one of two ways:
• Upload using Secure Copy (SCP).
• Upload through the Web Interface.
SCP Uploading
The following command lines show how a typical SCP utility might upload a certificate consisting
273
Chapter 3: Fundamentals