2017-01-27 07:45 AM
I have a FVS318N router, frmware 4.3.4-2.
I have generated a certificate signing request (CSR) from the firewall (SHA-1 + RSA2048).
I have issued certificates:
In both cases:
2017-02-15 02:52 AM
I have inquired your concern to a higher tier of NETGEAR Support and here below are the answers to your queries:
1. Are Intermediate CAs issued certificates supported by the Netgear CSR?
Answer: No, We do not support intermediate CA.
2. The certificate the client has uploaded is used now for the administration interface, which is unwanted. The client would want to add an IPSEC only certificate which does not interfere with the SSL certificate. What key Usage/Extended key usage to add or exclude?
Answer: No, Currently our devices don’t have such setting Key usage/ extended key usage by which a single certificate can be made available only for SSL or only for IPSEC.
3. The documentation refers to IPSEC VPN extKeyUsage (EKU). AFAIK the IPSEC specific EKUs have been deprecated long ago and should no longe be used. The IPSEC VPN OIDs are not mentioned in the Netgear doc, does anyone know what do they mean?
Answer: We do not have any OIDS support.
4. Is there any way to grab more information (ie: logs) of what happens inside for certificate management? The firewall has a serial port and the client has a PC with a serial port on. Can it be used to log anything useful there?
Answer: No, we do not have this debug logs support by default in firmware.
NETGEAR Community Team
2017-02-20 11:29 AM
Thanks for the effort and answer.
Sadly the answer you had confirms what I feared: the certificate support is very much limited.
> 2. Answer: No, Currently our devices don’t have such setting Key usage/ extended key usage by which a single certificate can be made available only for SSL or only for IPSEC.
> 3. Answer: We do not have any OIDS support.
The Router Reference manual (April 2013, 202-10836-05), p316 (chapter: Manage Digital Certificates for VPN Connections):
"On the wireless VPN firewall, the uploaded digital certificate is checked for validity and
purpose. The digital certificate is accepted when it passes the validity test and the purpose
matches its use. The check for the purpose needs to correspond to its use for IPSec VPN,
SSL VPN, or both. If the defined purpose is for IPSec VPN and SSL VPN, the digital
certificate is uploaded to both the IPSec VPN certificate repository and the SSL VPN
certificate repository. However, if the defined purpose is for IPSec VPN only, the certificate is
uploaded only to the IPSec VPN certificate repository"
It would be good and fair to reissue an updated Reference Manual on longer containing that. The current product description and publicly available documentation is misleading.
The update could contain also "we don't support intermediate CA" as well. But I'm repeating myself.
>4. Answer: No, we do not have this debug logs support by default in firmware.
I feel like I'm a pain - but you said "by default": does this mean that it could be somehow changed? I'm ok with the command line, should that be needed.
Or should I read "not possible at all, go away!" ?
Bottom line: the setup I need to put in place is impossible to achieve with my FVS318N unless some firmware update will address the missing bits.
This looks rather unlikely to happen in anytime soon....
2017-02-21 05:41 AM - edited 2017-02-21 05:44 AM
About on the re-issue of the FVS318N reference manual (specific to what you have posted) and about the debug logs to be supported on the FVS318N, I suggest you to post this as a feature request in the Idea Exchange Board for Business here. In this way, the development team can see what updates and features does users wanted to be added to the functionality of the VPN firewall. Be reminded that the more kudos given by community members to your feature request will help because the development team will be reviewing the post that has the most kudos and it will have a high possibility that it will be considered.
NETGEAR Community Team
2017-02-24 10:00 AM
We’d greatly appreciate hearing your feedback letting us know if the information we provided has helped resolve your issue or if you need further assistance.
If your issue is now resolved we encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The Netgear community looks forward to hearing from you and being a helpful resource in the future!
2017-02-24 04:10 PM
I don't mind closing somehow this thread ( don't know how), but I can't choose any of the answers as "solution".
I had the acknowledged that the current certificate implementation is severely limited and not even up to what Netgear documentation claims.
There's no solution so far, and not much hope for one either: all depends on "Idea Exchange Board for Business" etc.
I give up, but there's no button to close the thread this way
@DaneA, You - and maybe others - do a great job to monitor and answer, I really appreciate and thank you for your effort to have things sorted out
Overall I'm disappointed by the support for the firmware of the product. "we have firmware problems for a lifetime guaranteed item and we won't fix except maybe if one gets enough votes etc " from the firmware maintainer is ... disappointing.
2017-02-26 02:35 AM
You're welcome! I really encouraged you to post your concern as feature request in the Idea Exchange Board for Business.
NETGEAR Community Team