ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
9-18 Managing Users, Authentication, and Certificates
v1.0, September 2009
On the UTM, the uploaded digital certificate is checked for validity and purpose. The digital
certificate is accepted when it passes the validity test and the purpose matches its use. The check
for the purpose must correspond to its use for IPsec VPN, SSL VPN, or both. If the defined
purpose is for IPsec VPN and SSL VPN, the digital certificate is uploaded to both the IPsec VPN
certificate repository and the SSL VPN certificate repository. However, if the defined purpose is
for IPsec VPN only, the certificate is uploaded only to the IPsec VPN certificate repository.
The UTM uses digital certificates to authenticate connecting VPN gateways or clients, and to be
authenticated by remote entities. A digital certificate that authenticates a server, for example, is a
file that contains the following elements:
• A public encryption key to be used by clients for encrypting messages to the server.
• Information identifying the operator of the server.
• A digital signature confirming the identity of the operator of the server. Ideally, the signature is
from a trusted third party whose identity can be verified.
You can obtain a digital certificate from a well-known commercial certificate authority (CA) such
as Verisign or Thawte, or you can generate and sign your own digital certificate. Because a
commercial CA takes steps to verify the identity of an applicant, a digital certificate from a
commercial CA provides a strong assurance of the server’s identity. A self-signed digital
certificate triggers a warning from most browsers because it provides no protection against identity
theft of the server.
The UTM contains a self-signed digital certificate from NETGEAR. This certificate can be
downloaded from the UTM login screen for browser import. However, NETGEAR recommends
that you replace this digital certificate with a digital certificate from a well-known commercial CA
prior to deploying the UTM in your network.
To display the Certificates screen, select VPN > Certificates from the menu. Because of the large
size of this screen, and because of the way the information is presented, the Certificates screen is
divided and presented in this manual in three figures (Figure 9-11 on page 9-19, Figure 9-13 on
page 9-22, and Figure 9-15 on page 9-26).
The Certificates screen lets you to view the currently loaded digital certificates, upload a new
digital certificate, and generate a Certificate Signing Request (CSR). The UTM typically holds two
types of digital certificates:
• CA digital certificates. Each CA issues its own CA identity digital certificate to validate
communication with the CA and to verify the validity of digital certificates that are signed by
the CA.
• Self digital certificates. The digital certificates that are issued to you by a CA to identify your
device.