Netgear FVS318Gv2 – ProSAFE VPN Firewall Series Reference Manual
Manage Users, Authentication, and VPN Certificates
308
NETGEAR ProSAFE VPN Firewall FVS318G v2
Your changes are saved.
Manage Digital Certificates for VPN Connections
The VPN firewall uses digital certificates (also known as X509 certificates) during the Internet
Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways
or clients, or to be authenticated by remote entities. You can do the following:
Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways
or clients, or to be authenticated by remote entities. You can do the following:
•
On the VPN firewall, you can enter a digital certificate on the IKE Policies screen, on
which the certificate is referred to as an RSA signature.
which the certificate is referred to as an RSA signature.
•
On the VPN client, you can enter a digital certificate on the Authentication pane in the
Configuration Panel screen.
Configuration Panel screen.
Digital certificates either can be self-signed or can be issued by certification authorities (CAs)
such as an internal Windows server or an external organization such as Verisign or Thawte.
such as an internal Windows server or an external organization such as Verisign or Thawte.
However, if the digital certificate contains the extKeyUsage extension, the certificate must be
used for one of the purposes defined by the extension. For example, if the digital certificate
contains the extKeyUsage extension that is defined for SNMPv2, the same certificate cannot
be used for secure web management. The extKeyUsage would govern the certificate
acceptance criteria on the VPN firewall when the same digital certificate is being used for
secure web management.
used for one of the purposes defined by the extension. For example, if the digital certificate
contains the extKeyUsage extension that is defined for SNMPv2, the same certificate cannot
be used for secure web management. The extKeyUsage would govern the certificate
acceptance criteria on the VPN firewall when the same digital certificate is being used for
secure web management.
On the VPN firewall, the uploaded digital certificate is checked for validity and purpose. The
digital certificate is accepted when it passes the validity test and the purpose matches its use.
The check for the purpose must correspond to its use for IPSec VPN. If the defined purpose
is for IPSec VPN, the digital certificate is uploaded to both the IPSec VPN certificate
repository. However, if the defined purpose is for IPSec VPN only, the certificate is uploaded
only to the IPSec VPN certificate repository.
digital certificate is accepted when it passes the validity test and the purpose matches its use.
The check for the purpose must correspond to its use for IPSec VPN. If the defined purpose
is for IPSec VPN, the digital certificate is uploaded to both the IPSec VPN certificate
repository. However, if the defined purpose is for IPSec VPN only, the certificate is uploaded
only to the IPSec VPN certificate repository.
The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients,
and to be authenticated by remote entities. A digital certificate that authenticates a server, for
example, is a file that contains the following elements:
and to be authenticated by remote entities. A digital certificate that authenticates a server, for
example, is a file that contains the following elements:
•
A public encryption key to be used by clients for encrypting messages to the server.
•
Information identifying the operator of the server.
•
A digital signature confirming the identity of the operator of the server. Ideally, the
signature is from a trusted third party whose identity can be verified.
signature is from a trusted third party whose identity can be verified.
You can obtain a digital certificate from a well-known commercial certification authority (CA)
such as Verisign or Thawte, or you can generate and sign your own digital certificate.
Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate
from a commercial CA provides a strong assurance of the server’s identity. A self-signed
digital certificate triggers a warning from most browsers because it provides no protection
against identity theft of the server.
such as Verisign or Thawte, or you can generate and sign your own digital certificate.
Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate
from a commercial CA provides a strong assurance of the server’s identity. A self-signed
digital certificate triggers a warning from most browsers because it provides no protection
against identity theft of the server.
The VPN firewall contains a self-signed digital certificate from NETGEAR. This certificate can
be downloaded from the VPN firewall login screen for browser import. However, NETGEAR
be downloaded from the VPN firewall login screen for browser import. However, NETGEAR