Certificates; Overview - D-Link NetDefend DFL-210 User Manual

3.7. X.509 Certificates
3.7. X.509 Certificates
NetDefendOS supports digital certificates that comply with the ITU-T X.509 standard. This
involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key
distribution and entity authentication.

3.7.1. Overview

An X.509 certificate is a digital proof of identity. It links an identity to a public key in order to
establish whether a public key truly belongs to the supposed owner. By doing this, it prevents data
transfer interception by a malicious third-party who might post a phony key with the name and user
ID of an intended recipient.
Certificates with VPN Tunnels
The predominate usage of certificates in NetDefendOS is with VPN tunnels. The simplest and
fastest way to provide security between the ends of a tunnel is to use Pre-shared Keys (PSKs). As a
VPN network grows so does the complexity of using PSKs. Certificates provide a means to better
manage security in much larger networks.
Certificate Components
A certificate consists of the following:
• A public key: The "identity" of the user, such as name, user ID.
• Digital signatures: A statement that tells the information enclosed in the certificate has been
vouched for by a Certificate Authority (CA).
By binding the above information together, a certificate is a public key with identification attached,
coupled with a stamp of approval by a trusted party.
Certification Authorities
A certification authority ("CA") is a trusted entity that issues certificates to other entities. The CA
digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of
the certificate holder, and guarantees that the certificate has not been tampered with by any third
party.
A certification authority is responsible for making sure that the information in every certificate it
issues is correct. It also has to make sure that the identity of the certificate matches the identity of
the certificate holder.
A CA can also issue certificates to other CAs. This leads to a tree-like certificate hierarchy. The
highest CA is called the root CA. In this hierarchy, each CA is signed by the CA directly above it,
except for the root CA, which is typically signed by itself.
A certification path refers to the path of certificates from one certificate to another. When verifying
the validity of a user certificate, the entire path from the user certificate up to the trusted root
certificate has to be examined before establishing the validity of the user certificate.
The CA certificate is just like any other certificates, except that it allows the corresponding private
key to sign other certificates. Should the private key of the CA be compromised, the whole CA,
including every certificate it has signed, is also compromised.
Validity Time
A certificate is not valid forever. Each certificate contains the dates between which the certificate is
valid. When this validity period expires, the certificate can no longer be used, and a new certificate
79
Chapter 3. Fundamentals