Chapter 7:
Managing Users, Authentication, and Certificates
|
125
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
or clients, or to be authenticated by remote entities. The same Digital Certificates are
extended for secure web access connections over HTTPS.
Digital Certificates can be either self signed or can be issued by Certification Authorities (CA)
such as via an in-house Windows server, or by an external organization such as Verisign or
Thawte.
However, if the Digital Certificates contain the extKeyUsage extension then the certificate
must be used for one of the purposes defined by the extension. For example, if the Digital
Certificate contains the extKeyUsage extension defined to SNMPV2 then the same certificate
cannot be used for secure web management.
The extKeyUsage would govern the certificate acceptance criteria in the network storage
when the same digital certificate is being used for secure web management.
In the network storage, the uploaded digital certificate is checked for validity and also the
purpose of the certificate is verified. Upon passing the validity test and the purpose matches
its use (has to be SSL and VPN) the digital certificate is accepted. The additional check for
the purpose of the uploaded digital certificate must correspond to use for VPN and secure
web remote management via HTTPS. If the purpose defined is for VPN and HTTPS then the
certificate is uploaded to the HTTPS certificate repository and as well in the VPN certificate
repository. If the purpose defined is
only
for VPN then the certificate is only uploaded to the
VPN certificate repository. Thus, certificates used by HTTPS and IPSec will be different if
their purpose is not defined to be VPN and HTTPS.
The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients,
and to be authenticated by remote entities. A certificate that authenticates a server, for
example, is a file that contains:
•
A public encryption key to be used by clients for encrypting messages to the server.
•
Information identifying the operator of the server.
•
A digital signature confirming the identity of the operator of the server. Ideally, the
signature is from a trusted third party whose identity can be verified absolutely.
You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as
Verisign or Thawte, or you can generate and sign your own certificate. Because a
commercial CA takes steps to verify the identity of an applicant, a certificate from a
commercial CA provides a strong assurance of the server’s identity. A self-signed certificate
will trigger a warning from most browsers as it provides no protection against identity theft of
the server.
Your VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you
replace this certificate prior to deploying the VPN firewall in your network.
From the Certificates screen, you can view the currently loaded certificates, upload a new
certificate and generate a Certificate Signing Request (CSR). Your VPN firewall will typically
hold two types of certificates:
•
CA certificate. Each CA issues its own CA identity certificate in order to validate
communication with the CA and to verify the validity of certificates signed by the CA.
•
Self certificate. The certificate issued to you by a CA identifying your device.