1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS318N
    5. /
  5. 62
Page 306 / 414 Scroll up to view Page 301 - 305
Manage Users, Authentication, and VPN Certificates
306
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4.
Click
Apply
to save your settings.
Manage Digital Certificates for VPN Connections
The wireless VPN firewall uses digital certificates (also known as X509 certificates) during
the Internet Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN
gateways or clients, or to be authenticated by remote entities:
On the wireless VPN firewall, you can enter a digital certificate on the IKE Policies screen,
on which the certificate is referred to as an RSA signature (see
Figure 138
on page 220
and
Authentication Method
on page 223).
On the VPN Client, you can enter a digital certificate on the Authentication pane in the
Configuration Panel screen (see
Figure 125
on page 208).
Digital certificates are extended for secure web access connections over HTTPS (that is, SSL
connections).
Digital certificates either can be self-signed or can be issued by certification authorities (CAs)
such as an internal Windows server or an external organization such as Verisign or Thawte.
However, if the digital certificate contains the extKeyUsage extension, the certificate needs to
be used for one of the purposes defined by the extension. For example, if the digital
certificate contains the extKeyUsage extension that is defined for SNMPv2, the same
certificate cannot be used for secure web management. The extKeyUsage would govern the
certificate acceptance criteria on the wireless VPN firewall when the same digital certificate is
being used for secure web management.
On the wireless VPN firewall, the uploaded digital certificate is checked for validity and
purpose. The digital certificate is accepted when it passes the validity test and the purpose
matches its use. The check for the purpose needs to correspond to its use for IPSec VPN,
SSL VPN, or both. If the defined purpose is for IPSec VPN and SSL VPN, the digital
certificate is uploaded to both the IPSec VPN certificate repository and the SSL VPN
certificate repository. However, if the defined purpose is for IPSec VPN only, the certificate is
uploaded only to the IPSec VPN certificate repository.
Check to Edit
Password
Select this check box to make the password fields accessible to modify the password.
Enter Your Password
Enter the password with which you have logged in.
New Password
Enter the new password.
Confirm New Password
Reenter the new password for confirmation.
Idle Timeout
The period after which an idle user is automatically logged out of the web management
interface. The default idle time-out period is 5 minutes.
Table 76.
Edit User screen settings (continued)
Setting
Description
Page 307 / 414
Manage Users, Authentication, and VPN Certificates
307
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The wireless VPN firewall uses digital certificates to authenticate connecting VPN gateways
or clients, and to be authenticated by remote entities. A digital certificate that authenticates a
server, for example, is a file that contains the following elements:
A public encryption key to be used by clients for encrypting messages to the server.
Information identifying the operator of the server.
A digital signature confirming the identity of the operator of the server. Ideally, the
signature is from a trusted third party whose identity can be verified.
You can obtain a digital certificate from a well-known commercial certification authority (CA)
such as Verisign or Thawte, or you can generate and sign your own digital certificate.
Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate
from a commercial CA provides a strong assurance of the server’s identity. A self-signed
digital certificate triggers a warning from most browsers because it provides no protection
against identity theft of the server.
The wireless VPN firewall contains a self-signed digital certificate from NETGEAR. This
certificate can be downloaded from the wireless VPN firewall login screen for browser import.
However, NETGEAR recommends that you replace this digital certificate with a digital
certificate from a well-known commercial CA prior to deploying the wireless VPN firewall in
your network.
VPN Certificates Screen
To display the Certificates screen, select
VPN > Certificates
. Because of the large size of
this screen, and because of the way the information is presented, the Certificates screen is
divided and presented in this manual in three figures (
Figure 187
on page 308,
Figure 189
on
page 310, and
Figure 191
on page 313).
The Certificates screen lets you to view the currently loaded digital certificates, upload a new
digital certificate, and generate a certificate signing request (CSR). The wireless VPN firewall
typically holds two types of digital certificates:
CA certificates. Each CA issues its own digital certificate to validate communication with
the CA and to verify the validity of digital certificates that are signed by the CA.
Self-signed certificates. The digital certificates that are issued to you by a CA to identify
your device.
The Certificates screen contains four tables that are explained in detail in the following
sections:
Trusted Certificates (CA Certificate) table
. Contains the trusted digital certificates that
were issued by CAs and that you uploaded (see
Manage VPN CA Certificates
on this
page).
Active Self Certificates table
. Contains the self-signed certificates that were issued by
CAs and that you uploaded (see
Manage VPN Self-Signed Certificates
on page 309).
Self Certificate Requests table
. Contains the self-signed certificate requests that you
generated. These requests might or might not have been submitted to CAs, and CAs
might or might not have issued digital certificates for these requests. Only the self-signed
Page 308 / 414
Manage Users, Authentication, and VPN Certificates
308
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
certificates in the Active Self Certificates table are active on the wireless VPN firewall
(see
Manage VPN Self-Signed Certificates
on page 309).
Certificate Revocation Lists (CRL) table
. Contains the lists with digital certificates that
have been revoked and are no longer valid, that were issued by CAs, and that you
uploaded. Note, however, that the table displays only the active CAs and their critical
release dates. (see
Manage the VPN Certificate Revocation List
on page 313).
Manage VPN CA Certificates
To view and upload trusted certificates:
Select
VPN > Certificates
. The Certificates screen displays. (The following figure shows the
top section of the screen with the trusted certificate information and an example certificate in
the Trusted Certificates [CA Certificate] table.)
Figure 187. Certificates, screen 1 of 3
The Trusted Certificates (CA Certificate) table lists the digital certificates of CAs and contains
the following fields:
CA Identity (Subject Name)
. The organization or person to whom the digital certificate is
issued.
Issuer Name
. The name of the CA that issued the digital certificate.
Expiry Time
. The date after which the digital certificate becomes invalid.
To upload a digital certificate of a trusted CA on the wireless VPN firewall:
1.
Download a digital certificate file from a trusted CA and store it on your computer.
2.
In the Upload Trusted Certificates section of the screen, click the
Browse
button and
navigate to the trusted digital certificate file that you downloaded on your computer.
3.
Click the
Upload
table button. If the verification process on the wireless VPN firewall
approves the digital certificate for validity and purpose, the digital certificate is added to the
Trusted Certificates (CA Certificates) table.
Page 309 / 414
Manage Users, Authentication, and VPN Certificates
309
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
To delete one or more digital certificates:
1.
In the Trusted Certificates (CA Certificate) table, select the check box to the left of each
digital certificate that you want to delete, or click the
Select All
table button to select all
digital certificates.
2.
Click the
Delete
table button.
Manage VPN Self-Signed Certificates
Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital
certificate. However, a self-signed digital certificate triggers a warning from most browsers
because it provides no protection against identity theft of the server. (The following figure
shows an image of a browser security alert.)
There can be three reasons why a security alert is generated for a security certificate:
The security certificate was issued by a company you have not chosen to trust.
The date of the security certificate is invalid.
The name on the security certificate is invalid or does not match the name of the site.
When a security alert is generated, the user can decide whether or not to trust the host.
Figure 188.
Generate a CSR and Obtain a Self-Signed Certificate from a CA
To use a self-signed certificate, you first need to request the digital certificate from a CA, and
then download and activate the digital certificate on the wireless VPN firewall. To request a
self-signed certificate from a CA, you need to generate a certificate signing request (CSR) for
and on the wireless VPN firewall. The CSR is a file that contains information about your
company and about the device that holds the certificate. Refer to the CA for guidelines about
the information that you need to include in your CSR.
Page 310 / 414
Manage Users, Authentication, and VPN Certificates
310
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
To generate a new CSR file, obtain a digital certificate from a CA, and upload it to the
wireless VPN firewall:
1.
Select
VPN > Certificates
. The Certificates screen displays. The following figure shows
the middle section of the screen with the Active Self Certificates section, Generate Self
Certificate Request section, and Self Certificate Requests section. (The Self Certificate
Requests table contains an example certificate.)
Figure 189.
Certificates, screen 2 of 3
2.
In the Generate Self Certificate Request section of the screen, enter the settings as
explained in the following table:
Table 77.
Generate self-signed certificate request settings
Setting
Description
Name
A descriptive name of the domain for identification and management purposes.
Subject
The name that other organizations see as the holder (owner) of the certificate. In
general, use your registered business name or official company name for this
purpose.
Note:
Generally, all of your certificates should have the same value in the
Subject field.

Rate

4.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top