•
Fetch the CRL for each certificate to verify that none of the certificates have been revoked.
ID Lists
In addition to verifying the signatures of certificates, NetDefendOS can also use an
ID list
object
when authenticating a connecting IPsec client. An
ID list
contains all IDs that are allowed access
through a specific IPsec tunnel. An ID is sent by the peer during the IKE negotiation and if a
matching tunnel is found with this remote ID, authentication is then performed by checking to
see if the certificate sent by the client contains that ID.
Using IPsec ID lists with certificates is described further in
Section 9.3.8, “Using ID Lists with
.
Reusing Root Certificates
In NetDefendOS, root certificates should be seen as global entities that can be reused between
VPN tunnels. Even though a root certificate is associated with one VPN tunnel in NetDefendOS, it
can still be reused with any number of other, different VPN tunnels.
Other Considerations
A number of other factors should be kept in mind when using certificates:
•
If Certificate Revocation Lists (CRLs) are used then the CRL distribution point is defined as an
FQDN (for example,
caserver.example.com
) which must be resolved to an IP address using a
public DNS server. At least one DNS server that can resolve this FQDN should therefore be
defined in NetDefendOS.
The CRL distribution point can be contained in the certificate but NetDefendOS provides the
ability to associate alternative CRL distribution points a certificate. This is described further in
Section 3.9.3, “CRL Distribution Point Lists”
•
Do not get the Host Certificate files and Root Certificate files mixed up. Although it is not
possible to use a Host Certificate in NetDefendOS as a Root Certificate, it is possible to
accidentally use a Host Certificate as a Root Certificate.
•
Host certificates have two files associated with them and these have the filetypes
.key
file and
.cer
. The filename of these files must be the same for NetDefendOS to be able to use them.
For example, if the certificate is called
my_cert
then the files
my_cert.key
and
my_cert.cer
.
3.9.2. Uploading and Using Certificates
Certificate File Uploading
Certificate files can be uploaded to NetDefendOS in one of two ways:
•
Upload using
Secure Copy
(SCP).
•
Upload through the Web Interface.
SCP Uploading
The following command lines show how a typical SCP utility might upload a certificate consisting
Chapter 3: Fundamentals
273
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...