D-Link DFL-1660 User Manual page 151

3.8.1. Overview
A CA can also issue certificates to other CAs. This leads to a chain-like certificate hierarchy. The
highest certificate is called the Root Certificate and it is signed by the Root CA. Each certificate in
the chain is signed by the CA of the certificate directly above it in the chain. However, the root
certificate is signed by itself (it is "self-signed"). Certificates in the chain between the root certificate
and the end certificate are called Intermediate Certificates.
A Certification Path refers to the path of certificates from one certificate to another. When verifying
the validity of a user certificate, the entire path from the user certificate up to the trusted root
certificate has to be examined before establishing the validity of the user certificate.
The CA certificate is just like any other certificates, except that it allows the corresponding private
key to sign other certificates. Should the private key of the CA be compromised, the whole CA,
including every certificate it has signed, is also compromised.
In NetDefendOS, the maximum length of a certificate chain is 4. In VPN scenarios with roaming
clients, the client's certificate will be the bottom of a certificate chain.
Validity Time
A certificate is not valid forever. Each certificate contains values for two points in time between
which the certificate is valid. When this validity period expires, the certificate can no longer be used
and a new certificate must be issued.
The NetDefendOS Certificate Cache
NetDefendOS maintains a Certificate Cache in local memory which provides processing speed
enhancement when certificates are being repeatedly accessed. This cache is only completely cleared
and initialized when NetDefendOS is restarted.
For this reason, it is important to restart NetDefendOS if any certificates are added, modified or
deleted. This can be done with the CLI command:
gw-world:/> shutdown
Certificate Revocation Lists
A Certificate Revocation List (CRL) contains a list of all certificates that have been canceled before
their expiration date. They are normally held on an external server which is accessed to determine if
the certificate is still valid. The ability to validate a user certificate in this way is a key reason why
certificate security simplifies the administration of large user communities.
CRLs are published on servers that all certificate users can access, using either the LDAP or HTTP
protocols. Revocation can happen for several reasons. One reason could be that the keys of the
certificate have been compromised in some way, or perhaps that the owner of the certificate has lost
the rights to authenticate using that certificate, perhaps because they have left the company.
Whatever the reason, server CRLs can be updated to change the validity of one or many certificates.
Certificates often contain a CRL Distribution Point (CDP) field, which specifies the location from
where the CRL can be downloaded. In some cases, certificates do not contain this field. In those
cases the location of the CRL has to be configured manually.
A CA usually updates its CRL at a given interval. The length of this interval depends on how the
Important: The system date and time must be correct
Make sure the NetDefendOS system date and time are set correctly when using
certificates. Problems with certificates, for example in VPN tunnel establishment, can
be due to an incorrect system date or time.
151
Chapter 3. Fundamentals