Certificates; Overview; The Certification Authority; Validity Time - D-Link NetDefend DFL-210 User Manual

3.7. X.509 Certificates
3.7. X.509 Certificates
NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This in-
volves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key
distribution and entity authentication.

3.7.1. Overview

An X.509 certificate is a digital proof of identity. It links an identity to a public key in order to es-
tablish whether a public key truly belongs to the supposed owner. By doing this, it prevents data
transfer interception by a malicious third-party who might post a phony key with the name and user
ID of an intended recipient.
A certificate consists of the following:
• A public key: The "identity" of the user, such as name, user ID.
• Digital signatures: A statement that tells the information enclosed in the certificate has been
vouched for by a Certificate Authority (CA).
By binding the above information together, a certificate is a public key with identification attached,
coupled with a stamp of approval by a trusted party.

3.7.2. The Certification Authority

A certification authority ("CA") is a trusted entity that issues certificates to other entities. The CA
digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of
the certificate holder, and guarantees that the certificate has not been tampered with by any third
party.
A certification authority is responsible for making sure that the information in every certificate it is-
sues is correct. It also has to make sure that the identity of the certificate matches the identity of the
certificate holder.
A CA can also issue certificates to other CAs. This leads to a tree-like certificate hierarchy. The
highest CA is called the root CA. In this hierarchy, each CA is signed by the CA directly above it,
except for the root CA, which is typically signed by itself.
A certification path refers to the path of certificates from one certificate to another. When verifying
the validity of a user certificate, the entire path from the user certificate up to the trusted root certi-
ficate has to be examined before establishing the validity of the user certificate.
The CA certificate is just like any other certificates, except that it allows the corresponding private
key to sign other certificates. Should the private key of the CA be compromised, the whole CA, in-
cluding every certificate it has signed, is also compromised.

3.7.3. Validity Time

A certificate is not valid forever. Each certificate contains the dates between which the certificate is
valid. When this validity period expires, the certificate can no longer be used, and a new certificate
has to be issued.

3.7.4. Certificate Revocation Lists

A Certificate Revocation List (CRL) contains a list of all certificates that have been cancelled before
their expiration date. This can happen for several reasons. One reason could be that the keys of the
certificate have been compromised in some way, or perhaps that the owner of the certificate has lost
the rights to authenticate using that certificate. This could happen, for instance, if an employee has
57
Chapter 3. Fundamentals