D-Link NetDefendOS User Manual page 272

Important: The system date and time must be correct
Make sure the NetDefendOS system date and time are set correctly when using
certificates. Problems with certificates, for example in VPN tunnel establishment, can be
due to an incorrect system date or time.
The NetDefendOS Certificate Cache
NetDefendOS maintains a Certificate Cache in local memory which provides processing speed
enhancement when certificates are being repeatedly accessed. This cache is only completely
cleared and initialized when NetDefendOS is restarted.
For this reason, it is important to restart NetDefendOS if any certificates are added, modified or
deleted. This can be done with the CLI command:
gw-world:/> shutdown
Certificate Revocation Lists (CRLs)
A Certificate Revocation List (CRL) contains a list of all certificates that have been canceled before
their expiration date. They are normally held on an external server which is accessed to
determine if the certificate is still valid. The CRL is downloaded from the server and NetDefendOS
performs the validation of the certificate against the list. The ability to validate a user certificate
in this way is a key reason why certificate security simplifies the administration of large user
communities.
CRLs are published on servers that all certificate users can access, using either the LDAP or HTTP
protocols. Revocation can happen for several reasons. One reason could be that the keys of the
certificate have been compromised in some way, or perhaps that the owner of the certificate has
lost the rights to authenticate using that certificate, perhaps because they have left the
company. Whatever the reason, server CRLs can be updated to change the validity of one or
many certificates.
Certificates will usually contain a CRL Distribution Point (CDP) field, which specifies one or more
URLs with which the relevant CRL can be downloaded. In some cases, a certificate may not
contain this field and the location of the CRL has to be configured manually. In NetDefendOS this
is done by specifying a CRL Distribution Point List object and associating this with the certificate in
the configuration. This is explained further in Section 3.9.3, "CRL Distribution Point Lists".
A CA usually updates its CRL at a given interval. The length of this interval depends on how the
CA is configured. Typically, this is somewhere between an hour to several days.
For NetDefendOS to check the CRL for a given certificate it may need access to an external CA
server. Allowing this access is discussed in detail in Section 3.9.4, "CA Server Access".
Trusting Certificates
When using certificates, NetDefendOS trusts anyone whose certificate is signed by a given CA.
Before a certificate is accepted, the following steps are taken to verify the validity of the
certificate:
• Construct a certification path up to the trusted root CA.
• Verify the signatures of all certificates in the certification path.
272
Chapter 3: Fundamentals