Manage Digital Certificates For Vpn Connections - NETGEAR UTM9S Reference Manual
Prosecure unified threat management (utm) appliance
Hide thumbs
Also See for UTM9S:
- Quick start manual (16 pages) ,
- Integration manual (8 pages) ,
- Installation manual (2 pages)
Table of Contents
Advertisement
Manage Digital Certificates for VPN Connections
Note:
For information about digital certificates for HTTPS scans, see
Manage Digital Certificates for HTTPS Scans
The UTM uses digital certificates (also known as X509 certificates) during the Internet Key
Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways or
clients, or to be authenticated by remote entities. The same digital certificates are extended
for secure web access connections over HTTPS (that is, SSL connections).
Digital certificates either can be self-signed or can be issued by certification authorities (CAs)
such as an internal Windows server or an external organization such as Verisign or Thawte.
However, if the digital certificate contains the extKeyUsage extension, the certificate needs to
be used for one of the purposes defined by the extension. For example, if the digital
certificate contains the extKeyUsage extension that is defined for SNMPv2, the same
certificate cannot be used for secure web management. The extKeyUsage would govern the
certificate acceptance criteria on the UTM when the same digital certificate is being used for
secure web management.
On the UTM, the uploaded digital certificate is checked for validity and purpose. The digital
certificate is accepted when it passes the validity test and the purpose matches its use. The
check for the purpose needs to correspond to its use for IPSec VPN, SSL VPN, or both. If the
defined purpose is for IPSec VPN and SSL VPN, the digital certificate is uploaded to both the
IPSec VPN certificate repository and the SSL VPN certificate repository. However, if the
defined purpose is for IPSec VPN only, the certificate is uploaded only to the IPSec VPN
certificate repository.
The UTM uses digital certificates to authenticate connecting VPN gateways or clients, and to
be authenticated by remote entities. A digital certificate that authenticates a server, for
example, is a file that contains the following elements:
•
A public encryption key to be used by clients for encrypting messages to the server.
•
Information identifying the operator of the server.
•
A digital signature confirming the identity of the operator of the server. Ideally, the
signature is from a trusted third party whose identity can be verified.
You can obtain a digital certificate from a well-known commercial certification authority (CA)
such as Verisign or Thawte, or you can generate and sign your own digital certificate.
Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate
from a commercial CA provides a strong assurance of the server's identity. A self-signed
certificate triggers a warning from most browsers because it provides no protection against
identity theft of the server.
The UTM contains a self-signed certificate from NETGEAR. This certificate can be
downloaded from the UTM login screen for browser import. However, NETGEAR
recommends that you replace this digital certificate with a digital certificate from a well-known
commercial CA prior to deploying the UTM in your network.
ProSecure Unified Threat Management (UTM) Appliance
Managing Users, Authentication, and VPN Certificates
on page 213.
381
Advertisement
Table of Contents
Troubleshooting
