D-Link NetDefendOS User Manual page 270

perhaps because a CA server is offline, then the certificate will be unusable and
authentication will fail.
If the certificate has no CRL associated with it then enforced checking is ignored. A
self-signed certificate, such as the ones used for NetDefendOS management
connections, do not have an associated CRL but will still have this default option
selected.
ii. Conditional
CRL checking will be performed by NetDefendOS provided any associated CRL is
available. If the CRL cannot be accessed, perhaps because a CA server is offline, then the
certificate will be used anyway.
iii. Disabled
The causes all CRL checking to be disabled. The certificate will be used even if there is a
CRL associated with it.
CRLs are discussed further later in this section.
• CRL Distribution Point List
The CRL Distribution Point List property of a Certificate object can be set to a CRL Distribution
Point List configuration object defined by the administrator. This can provide alternative
means to perform CRL checking if it is enabled. This feature is described further in
Section 3.9.3, "CRL Distribution Point Lists".
Creating Certificates Objects in NetDefendOS
A Certificate configuration object is used for defining a logical certificate in NetDefendOS. When
such an object is added, it acts as a holder for associated certificate files. Certificate files are
associated with a certificate object in one of two ways:
• Importing External Certificate Files
Certificate files stored on the management workstation's local hard disk are imported into
NetDefendOS.
• Creating a Self-signed Certificate
The Web Interface can be used to get NetDefendOS to create the files for a self-signed
certificate. In the Web Interface, go to Objects > Key Ring > Add > Certificate then choose
the Generate (RSA) from the Source options for the new certificate. This allows the following
properties to be specified for the self-signed certificate:
i. Common Name.
ii. Bit length (default value: 2048).
iii. Certification Authority.
If the Certification Authority is enabled, this means that this self-signed certificate can be used
to sign other certificates and act as a CA.
Certificates with VPN Tunnels
270
Chapter 3: Fundamentals