D-Link DFL-200 User Manual
Certificates
A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy
manner. Certificates can be used to authenticate individual users or other entities. These
types of certificates are commonly called end-entity certificates.
types of certificates are commonly called end-entity certificates.
Before a VPN tunnel with certificate based authentication can be set up, the firewall needs
a certificate of its own and that of the remote firewall. These certificates can either be self-
signed certificates, or issued by a CA.
signed certificates, or issued by a CA.
Trusting Certificates
When setting up a VPN tunnel, the firewall has to be told whom it should trust. When using
pre-shared keys, this is simple. The firewall trusts anyone who has the same pre-shared key.
When using certificates, on the other hand, you tell the firewall that it can trust anyone
whose certificate is signed by a given CA. Before a certificate is accepted, the following steps
are taken to verify the validity of the certificate:
are taken to verify the validity of the certificate:
•
Construct a certification path up to the trusted root CA.
•
Verify the signatures of all certificates in the certification path.
•
Fetch the CRL for each certificate to verify that none of the certificates have been
revoked.
revoked.
Local identities
This is a list of all the local identity certificates that can be used in VPN tunnels. A local
identity certificate is used by the firewall to prove its identity to the remote VPN peer.
To add a new local identity certificate, click Add new. The following pages will allow you to
specify a name for the local identity, and upload the certificate and private key files. This
certificate can be selected in the Local Identity field on the VPN page.
certificate can be selected in the Local Identity field on the VPN page.
This list also includes a special certificate called Admin. This is the certificate used by the
web interface to provide HTTPS access.
Note: The certificate named Admin can only be replaced, not deleted or renamed. This is
used for HTTPS access to the DFL-200.
Certificates of remote peers
This is a list of all certificates of individual remote peers.
To add a new remote peer certificate, click Add new. The following pages will allow you to
specify a name for the remote peer certificate and upload the certificate file. This certificate
can be selected in the Certificates field on the VPN page.
can be selected in the Certificates field on the VPN page.
Certificate Authorities
This is a list of all CA certificates. To add a new Certificate Authority certificate, click Add
new. The following pages will allow you to specify a name for the CA certificate and upload
the certificate file. This certificate can be selected in the Certificates field on the VPN page.
the certificate file. This certificate can be selected in the Certificates field on the VPN page.