Certificate Authorities - NETGEAR FVX538 - ProSafe VPN Firewall 200 Router Reference Manual

ProSafe VPN Firewall 200 FVX538 Reference Manual

Certificate Authorities

Digital Self Certificates are used to authenticate the identity of users and systems, and are issued
by various CAs (Certification Authorities). Digital Certificates are used by this router during the
IKE (Internet Key Exchange) authentication phase as an alternative authentication method. Self
Certificates are issued to you by various CAs (Certification Authorities).
The FVX538 uses Digital Certificates (also known as X509 Certificates) during the Internet Key
Exchange (IKE) authentication phase to authenticate connecting VPN gateways or clients, or to be
authenticated by remote entities. The same Digital Certificates are extended for secure web access
via SSL VPN connections over HTTPS.
Digital Certificates can be either self signed or can be issued by Certification Authorities (CA)
such as via an in-house Windows server, or by an external organization such as Verisign or
Thawte.
However, if the Digital Certificates contain the extKeyUsage extension then the certificate must be
used for one of the purposes defined by the extension. For example, if the Digital Certificate
contains the extKeyUsage extension defined to SNMPV2 then the same certificate cannot be used
for secure web management.
The extKeyUsage would govern the certificate acceptance criteria in the FVX538 when the same
digital certificate is being used for secure web management.
In the FVX538, the uploaded digital certificate is checked for validity and also the purpose of the
certificate is verified. Upon passing the validity test and the purpose matches its use (has to be SSL
and VPN) the digital certificate is accepted. The additional check for the purpose of the uploaded
digital certificate must correspond to use for VPN and secure web remote management via
HTTPS. If the purpose defined is for VPN & HTTPS then the certificate is uploaded to the HTTPS
certificate repository and as well in the VPN certificate repository. If the purpose defined is ONLY
for VPN then the certificate is only uploaded to the VPN certificate repository. Thus, certificates
used by HTTPS and IPSec will be different if their purpose is not defined to be VPN and HTTPS.
Each CA also issues a CA Identity certificate shown in the Trusted Certificates (CA
Certificates) table. This Certificate is required in order to validate communication with the CA. It
is a three-step process. First, you generate a CA request; then, when the request is granted, you
upload the Self Certificate (shown in the Active Self Certificates table) and then you upload the
CA Identity certificate (shown in the Trusted Certificates table.
The Trusted Certificates table lists the certificates generated and signed by a publicly known
organization or authority called the Certificate Authority. The table lists the certificates of each CA
and contains the following data:
Virtual Private Networking 5-19
v1.0, March 2009