Certificates In Netdefendos; Uploading An X.509 Certificate - D-Link NetDefend DFL-210 User Manual

Network security firewall
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

3.7.2. X.509 Certificates in
NetDefendOS
has to be issued.
Certificate Revocation Lists
A Certificate Revocation List (CRL) contains a list of all certificates that have been cancelled before
their expiration date. This can happen for several reasons. One reason could be that the keys of the
certificate have been compromised in some way, or perhaps that the owner of the certificate has lost
the rights to authenticate using that certificate. This could happen, for instance, if an employee has
left the company from whom the certificate was issued.
A CRL is regularly published on a server that all certificate users can access, using either the LDAP
or HTTP protocols.
Certificates often contain a CRL Distribution Point (CDP) field, which specifies the location from
where the CRL can be downloaded. In some cases certificates do not contain this field. In those
cases the location of the CRL has to be configured manually.
The CA updates its CRL at a given interval. The length of this interval depends on how the CA is
configured. Typically, this is somewhere between an hour to several days.
Trusting Certificates
When using certificates, NetDefendOS trusts anyone whose certificate is signed by a given CA.
Before a certificate is accepted, the following steps are taken to verify the validity of the certificate:
Construct a certification path up to the trusted root CA.
Verify the signatures of all certificates in the certification path.
Fetch the CRL for each certificate to verify that none of the certificates have been revoked.
Identification Lists
In addition to verifying the signatures of certificates, NetDefendOS also employs identification lists.
An identification list is a list naming all the remote identities that are allowed access through a
specific VPN tunnel, provided the certificate validation procedure described above succeeded.
Reusing Root Certificates
In NetDefendOS, root certificates should be seen as global entities that can be reused between VPN
tunnels. Even though a root certificate is associated with one VPN tunnel in NetDefendOS, it can
still be reused with any number of other, different VPN tunnels.
3.7.2. X.509 Certificates in NetDefendOS
X.509 certificates can be uploaded to the D-Link Firewall for use in IKE/IPsec authentication,
Webauth, etc. There are two types of certificates that can be uploaded, self signed certificates and
remote certificates belonging to a remote peer or CA server.
Example 3.18. Uploading an X.509 Certificate
The certificate may either be self-signed or belonging to a remote peer or CA server.
Web Interface
1.
Go to Objects > Authentication Objects > Add > Certificate
2.
Specify a suitable name for the certificate.
80
Chapter 3. Fundamentals

Advertisement

Table of Contents
loading

Table of Contents