D-Link NetDefendOS User Manual page 271

The main usage of certificates in NetDefendOS is with VPN tunnels. The simplest and fastest way
to provide security between the ends of a tunnel is to use Pre-shared Keys (PSKs). As a VPN
network grows so does the complexity of using PSKs. Certificates provide a means to better
manage security in much larger networks.
Certificate Authorities
A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA
digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of
the certificate holder, and guarantees that the certificate has not been tampered with by any
third party.
A CA is responsible for making sure that the information in every certificate it issues is correct. It
also has to make sure that the identity of the certificate matches the identity of the certificate
holder.
Root Certificates and Host Certificates
If a certificate is used for authentication, then it can be referred to as a Host Certificate but is
sometimes referred to in NetDefendOS as a Gateway Certificate. The certificate will consist
physically of two files, a .cer file containing the public key and a .key file containing the private
key. Both files must be loaded into NetDefendOS.
If the host certificate is CA signed then the Root Certificate provided by the signing CA will also
need to be loaded into NetDefendOS. This is just a single .cer file containing the public key of the
CA. Self-signed certificates will not have a corresponding root certificate.
Certificate Chains
A CA can also issue certificates to other CAs. This can lead to a chain-like certificate hierarchy.
Each certificate in the chain is signed by the CA of the certificate directly above it in the chain.
The certificates between the root and host certificates are called Intermediate Certificates and
consist physically of a single .cer file containing a public key.
The Certification Path refers to the path of certificates leading from one certificate to another.
When verifying the validity of a host certificate, the entire path from the host certificate up to the
trusted root certificate has to be available. For this reason, all intermediate certificates between
the root certificate and the host certificate must be loaded into NetDefendOS.
Chained certificates are supported in the following NetDefendOS features:
• Access with HTTPS to the Web Interface.
• IPsec VPN.
• SSL VPN.
• The TLS ALG.
In NetDefendOS IPsec VPN, the maximum length of a certificate chain is 4. In VPN scenarios with
roaming clients, the client's certificate will be the bottom of the certificate chain.
Validity Time
A certificate is not valid forever. Each certificate contains values for two points in time between
which the certificate is valid. When this validity period expires, the certificate can no longer be
used and a new certificate must be issued.
271
Chapter 3: Fundamentals