1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 65
Page 321 / 469 Scroll up to view Page 316 - 320
Manage Users, Authentication, and VPN
Certificates
321
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate
from a commercial CA provides a strong assurance of the server’s identity. A self-signed
digital certificate triggers a warning from most browsers because it provides no protection
against identity theft of the server.
The VPN firewall contains a self-signed digital certificate from NETGEAR. This certificate can
be downloaded from the VPN firewall login screen for browser import. However, NETGEAR
recommends that you replace this digital certificate with a digital certificate from a well-known
commercial CA before you deploy the VPN firewall in your network.
VPN Certificates Screen
To display the Certificates screen, select
VPN > Certificates
. Because of the large size of
this screen, and because of the way the information is presented, the Certificates screen is
divided and presented in this manual in three figures (
Figure
212
on page
322,
Figure
214
on
page
324, and
Figure
216
on page
327).
The Certificates screen lets you view the loaded digital certificates, upload a new digital
certificate, and generate a certificate signing request (CSR). The VPN firewall typically holds
two types of digital certificates:
CA certificates. Each CA issues its own digital certificate to validate communication with
the CA and to verify the validity of digital certificates that are signed by the CA.
Self-signed certificates. The digital certificates that are issued to you by a CA to identify
your device.
The Certificates screen contains four tables that are described in detail in the following
sections:
Trusted Certificates (CA Certificate) table
. Contains the trusted digital certificates that
were issued by CAs and that you uploaded (see
Manage VPN CA Certificates
on this
page).
Active Self Certificates table
. Contains the self-signed certificates that were issued by
CAs and that you uploaded (see
Manage VPN Self-Signed Certificates
on page
323).
Self Certificate Requests table
. Contains the self-signed certificate requests that you
generated. These requests might or might not have been submitted to CAs, and CAs
might or might not have issued digital certificates for these requests. Only the self-signed
certificates in the Active Self Certificates table are active on the VPN firewall (see
Manage VPN Self-Signed Certificates
on page
323).
Certificate Revocation Lists (CRL) table
. Contains the lists with digital certificates that
have been revoked and are no longer valid, that were issued by CAs, and that you
uploaded. Note, however, that the table displays only the active CAs and their critical
release dates. (see
Manage the VPN Certificate Revocation List
on page
326).
Page 322 / 469
Manage Users, Authentication, and VPN
Certificates
322
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Manage VPN CA Certificates
To view and upload trusted certificates:
Select
VPN > Certificates
. The Certificates screen displays. (The following figure shows the
top section of the screen with the trusted certificate information and an example certificate in
the Trusted Certificates [CA Certificate] table.)
Figure 212. Certificates, screen 1 of 3
The Trusted Certificates (CA Certificate) table lists the digital certificates of CAs and contains
the following fields:
CA Identity (Subject Name)
. The organization or person to whom the digital certificate is
issued.
Issuer Name
. The name of the CA that issued the digital certificate.
Expiry Time
. The date after which the digital certificate becomes invalid.
To upload a digital certificate of a trusted CA on the VPN firewall:
1.
Download a digital certificate file from a trusted CA and store it on your computer.
2.
In the Upload Trusted Certificates section of the screen, click the
Browse
button and
navigate to the trusted digital certificate file that you downloaded on your computer.
3.
Click the
Upload
table button. If the verification process on the VPN firewall approves the
digital certificate for validity and purpose, the digital certificate is added to the Trusted
Certificates (CA Certificates) table.
To delete one or more digital certificates:
1.
In the Trusted Certificates (CA Certificate) table, select the check box to the left of each
digital certificate that you want to delete, or click the
Select All
table button to select all
digital certificates.
2.
Click the
Delete
table button.
Page 323 / 469
Manage Users, Authentication, and VPN
Certificates
323
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Manage VPN Self-Signed Certificates
Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital
certificate. However, a self-signed digital certificate triggers a warning from most browsers
because it provides no protection against identity theft of the server. (The following figure
shows an image of a browser security alert.)
There can be three reasons why a security alert is generated for a security certificate:
The security certificate was issued by a company you have not chosen to trust.
The date of the security certificate is invalid.
The name on the security certificate is invalid or does not match the name of the site.
When a security alert is generated, the user can decide whether to trust the host.
Figure 213.
Generate a CSR and Obtain a Self-Signed Certificate from a CA
To use a self-signed certificate, you first need to request the digital certificate from a CA, and
then download and activate the digital certificate on the VPN firewall. To request a self-signed
certificate from a CA, you need to generate a certificate signing request (CSR) for and on the
VPN firewall. The CSR is a file that contains information about your company and about the
device that holds the certificate. Refer to the CA for guidelines about the information that you
need to include in your CSR.
To generate a new CSR file, obtain a digital certificate from a CA, and upload it to the
VPN firewall:
1.
Select
VPN > Certificates
. The Certificates screen displays. The following figure shows
the middle section of the screen with the Active Self Certificates section, Generate Self
Certificate Request section, and Self Certificate Requests section. (The Self Certificate
Requests table contains an example certificate.)
Page 324 / 469
Manage Users, Authentication, and VPN
Certificates
324
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 214.
Certificates, screen 2 of 3
2.
In the Generate Self Certificate Request section of the screen, enter the settings as
described in the following table:
Table 82.
Generate self-signed certificate request settings
Setting
Description
Name
A descriptive name of the domain for identification and management purposes.
Subject
The name that other organizations see as the holder (owner) of the certificate. In
general, use your registered business name or official company name for this
purpose.
Note:
Generally, all of your certificates should have the same value in the
Subject field.
Hash Algorithm
From the drop-down list, select one of the following hash algorithms:
MD5
. A 128-bit (16-byte) message digest, slightly faster than SHA-1.
SHA-1
. A 160-bit (20-byte) message digest, slightly stronger than MD5.
Signature Algorithm
Although this seems to be a drop-down list, the only possible selection is RSA. In
other words, RSA is the default to generate a CSR.
Signature Key Length
From the drop-down list, select one of the following signature key lengths in bits:
512
1024
2048
Note:
Larger key sizes might improve security, but might also decrease
performance.
Page 325 / 469
Manage Users, Authentication, and VPN
Certificates
325
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
3.
Click the
Generate
table button. A new SCR is created and added to the Self Certificate
Requests table.
4.
In the Self Certificate Requests table, click the
View
table button in the Action
column to
view the new SCR. The Certificate Request Data screen displays:
Figure 215.
5.
Copy the contents of the Data to supply to CA text field into a text file, including all of the
data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE
REQUEST-----.”
6.
Submit your SCR to a CA:
a.
Connect to the website of the CA.
b.
Start the SCR procedure.
c.
When prompted for the requested data, copy the data from your saved text file
(including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE
REQUEST-----”).
d.
Submit the CA form. If no problems ensue, the digital certificate is issued by the CA.
7.
Download the digital certificate file from the CA, and store it on your computer.
8.
Return to the Certificates screen (see
Figure
214
on page
324) and locate the Self
Certificate Requests section.
Optional Fields
IP Address
Enter your fixed (static) IP address. If your IP address is
dynamic, leave this field blank.
Domain Name
Enter your Internet domain name, or leave this field blank.
E-mail Address
Enter the email address of a technical contact in your
company.
Table 82.
Generate self-signed certificate request settings (continued)
Setting
Description

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top