Certificates

A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used to authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates.

Before a VPN tunnel with certificate based authentication can be set up, the firewall needs a certificate of its own and that of the remote firewall. These certificates can either be self- signed certificates, or issued by a CA.

Trusting Certificates

When setting up a VPN tunnel, the firewall has to be told whom it should trust. When using pre-shared keys, this is simple. The firewall trusts anyone who has the same pre-shared key.

When using certificates, on the other hand, you tell the firewall that it can trust anyone whose certificate is signed by a given CA. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate:

Construct a certification path up to the trusted root CA.

Verify the signatures of all certificates in the certification path.

Fetch the CRL for each certificate to verify that none of the certificates have been revoked.

Local identities

This is a list of all the local identity certificates that can be used in VPN tunnels. A local identity certificate is used by the firewall to prove its identity to the remote VPN peer.

To add a new local identity certificate, click Add new. The following pages will allow you to specify a name for the local identity, and upload the certificate and private key files. This certificate can be selected in the Local Identity field on the VPN page.

This list also includes a special certificate called Admin. This is the certificate used by the web interface to provide HTTPS access.

Note: The certificate named Admin can only be replaced, not deleted or renamed. This is used for HTTPS access to the DFL-700.

Certificates of remote peers

This is a list of all certificates of individual remote peers.

To add a new remote peer certificate, click Add new. The following pages will allow you to specify a name for the remote peer certificate and upload the certificate file. This certificate can be selected in the Certificates field on the VPN page.

58

Page 58
Image 58
D-Link DFL-700 manual Trusting Certificates, Local identities, Certificates of remote peers