Certificates In Netdefendos - D-Link NetDefend DFL-210 User Manual

3.7.2. Certificates in NetDefendOS

Validity Time
A certificate is not valid forever. Each certificate contains the dates between which the certificate is
valid. When this validity period expires, the certificate can no longer be used, and a new certificate
has to be issued.
Certificate Revocation Lists
A Certificate Revocation List (CRL) contains a list of all certificates that have been cancelled before
their expiration date. They are normally held on an external server which is accessed to determine if
the certificate is still valid. The ability to validate a user certificate in this way is a key reason why
certificate security simplifies the administration of large user communities.
CRLs are published on servers that all certificate users can access, using either the LDAP or HTTP
protocols. Revocation can happen for several reasons. One reason could be that the keys of the
certificate have been compromised in some way, or perhaps that the owner of the certificate has lost
the rights to authenticate using that certificate, perhaps because they have left the company.
Whatever the reason, server CRLs can be updated to change the validity of one or many certificates.
Certificates often contain a CRL Distribution Point (CDP) field, which specifies the location from
where the CRL can be downloaded. In some cases, certificates do not contain this field. In those
cases the location of the CRL has to be configured manually.
A CA usually updates its CRL at a given interval. The length of this interval depends on how the
CA is configured. Typically, this is somewhere between an hour to several days.
Trusting Certificates
When using certificates, NetDefendOS trusts anyone whose certificate is signed by a given CA.
Before a certificate is accepted, the following steps are taken to verify the validity of the certificate:
• Construct a certification path up to the trusted root CA.
• Verify the signatures of all certificates in the certification path.
• Fetch the CRL for each certificate to verify that none of the certificates have been revoked.
Identification Lists
In addition to verifying the signatures of certificates, NetDefendOS also employs identification lists.
An identification list is a list naming all the remote identities that are allowed access through a
specific VPN tunnel, provided the certificate validation procedure described above succeeded.
Reusing Root Certificates
In NetDefendOS, root certificates should be seen as global entities that can be reused between VPN
tunnels. Even though a root certificate is associated with one VPN tunnel in NetDefendOS, it can
still be reused with any number of other, different VPN tunnels.
3.7.2. Certificates in NetDefendOS
Certificates can be uploaded to NetDefendOS for use in IKE/IPsec authentication, Webauth, etc.
Important
Make sure the NetDefendOS date and time are set correctly when using certificates.
118
Chapter 3. Fundamentals