Table of Contents
Advertisement
3.9.4. CA Server Access
Overview
Certificate validation can be done by accessing a separate Certifícation Server (CA) server. For
example, the two sides of an IPsec tunnel exchange their certificates during the tunnel setup
negotiation and either may then try to validate the received certificate.
A certificate can contain a URL (the CRL Distribution Point) which specifies the validating CA
server and server access is performed using an HTTP GET request with an HTTP reply. (This URL is
more correctly called an FQDN - Fully Qualified Domain Name.)
If a certificate does not contain a distribution point, this can be defined separately in
NetDefendOS by specifying a CRL Distribution Point List object and associating this with a
certificate in the configuration. This is explained further in Section 3.9.3, "CRL Distribution Point
Lists".
CA Server Types
CA servers are of two types:
•
A commercial CA server operated by one of the commercial certificate issuing companies.
These are accessible over the public Internet and their FQDNs are resolvable through the
public Internet DNS server system.
•
A private CA server operated by the same organization setting up the VPN tunnels. The IP
address of a private server will not be known to the public DNS system unless it is explicitly
registered. It also will not be known to an internal network unless it is registered on an
internal DNS server.
Access Considerations
The following considerations should be taken into account for CA server access to succeed:
•
Either side of a VPN tunnel may issue a validation request to a CA server.
•
For a certificate validation request to be issued, the FQDN of the certificate's CA server must
first be resolved into an IP address. The following scenarios are possible:
1.
The CA server is a private server behind the NetDefend Firewall and the tunnels are set
up over the public Internet but to clients that will not try to validate the certificate sent
by NetDefendOS.
In this case, the IP address of the private server needs only be registered on a private
DNS server so the FQDN can be resolved. This private DNS server will also have to be
configured in NetDefendOS so it can be found when NetDefendOS issues a validation
request. This will also be the procedure if the tunnels are being set up entirely internally
without using the public Internet.
2.
The CA server is a private server with tunnels set up over the public Internet and with
clients that will try to validate the certificate received from NetDefendOS. In this case the
following must be done:
a.
A private DNS server must be configured so that NetDefendOS can locate the
private CA server to validate the certificates coming from clients.
277
Chapter 3: Fundamentals
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
