1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-2612HNU-F1F PLDT
    5. /
  5. 45
Page 221 / 424 Scroll up to view Page 216 - 220
P-2612HNU-Fx User’s Guide
221
C
HAPTER
15
Certificates
15.1
Overview
The ZyXEL Device can use certificates (also called digital IDs) to authenticate
users. Certificates are based on public-private key pairs. A certificate contains the
certificate owner’s identity and public key. Certificates provide a way to exchange
public keys for use in authentication.
15.1.1
What You Can Do in this Chapter
Use the
Local Certificate
screens to view and import the ZyXEL Device’s CA-
signed certificates (
Section 15.2 on page 224
).
Use the
Trusted CA
screens to save the certificates of trusted CAs to the ZyXEL
Device. You can also export the certificates to a computer (
Section 15.3 on page
226
).
15.1.2
What You Need to Know
The following terms and concepts may help as you read this chapter.
Certification Authorities
A Certification Authority (CA) issues certificates and guarantees the identity of
each certificate owner. There are commercial certification authorities like
CyberTrust or VeriSign and government certification authorities.
Public and Private Keys
When using public-key cryptology for authentication, each host has two keys. One
key is public and can be made openly available; the other key is private and must
be kept secure. Public-key encryption in general works as follows.
1
Tim wants to send a private message to Jenny. Tim generates a public-private key
pair. What is encrypted with one key can only be decrypted using the other.
2
Tim keeps the private key and makes the public key openly available.
Page 222 / 424
Chapter 15 Certificates
P-2612HNU-Fx User’s Guide
222
3
Tim uses his private key to encrypt the message and sends it to Jenny.
4
Jenny receives the message and uses Tim’s public key to decrypt it.
5
Additionally, Jenny uses her own private key to encrypt a message and Tim uses
Jenny’s public key to decrypt the message.
The ZyXEL Device uses certificates based on public-key cryptology to authenticate
users attempting to establish a connection. The method used to secure the data
that you send through an established connection depends on the type of
connection. For example, a VPN tunnel might use the triple DES encryption
algorithm.
The certification authority uses its private key to sign certificates. Anyone can then
use the certification authority’s public key to verify the certificates.
Certification Path
A certification path is the hierarchy of certification authority certificates that
validate a certificate. The ZyXEL Device does not trust a certificate if any
certificate on its path has expired or been revoked.
Certificate Directory Servers
Certification authorities maintain directory servers with databases of valid and
revoked certificates. A directory of certificates that have been revoked before the
scheduled expiration is called a CRL (Certificate Revocation List). The ZyXEL
Device can check a peer’s certificate against a directory server’s list of revoked
certificates. The framework of servers, software, procedures and policies that
handles keys is called PKI (public-key infrastructure).
Advantages of Certificates
Certificates offer the following benefits.
The ZyXEL Device only has to store the certificates of the certification
authorities that you decide to trust, no matter how many devices you need to
authenticate.
Key distribution is simple and very secure since you can freely distribute public
keys and you never need to transmit private keys.
Certificate File Formats
The certification authority certificate that you want to import has to be in one of
these file formats:
Page 223 / 424
Chapter 15 Certificates
P-2612HNU-Fx User’s Guide
223
Binary X.509: This is an ITU-T recommendation that defines the formats for
X.509 certificates.
PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64
ASCII characters to convert a binary X.509 certificate into a printable form.
Binary PKCS#7: This is a standard that defines the general syntax for data
(including digital signatures) that may be encrypted. The ZyXEL Device
currently allows the importation of a PKS#7 file that contains a single
certificate.
PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses
64 ASCII characters to convert a binary PKCS#7 certificate into a printable
form.
Note: Be careful not to convert a binary file to text during the transfer process. It is
easy for this to occur since many programs use text files by default.
15.1.3
Verifying a Certificate
Before you import a trusted CA or trusted remote host certificate into the ZyXEL
Device, you should verify that you have the actual certificate. This is especially
true of trusted CA certificates since the ZyXEL Device also trusts any valid
certificate signed by any of the imported trusted CA certificates.
You can use a certificate’s fingerprint to verify it. A certificate’s fingerprint is a
message digest calculated using the MD5 or SHA1 algorithms. The following
procedure describes how to check a certificate’s fingerprint to verify that you have
the actual certificate.
1
Browse to where you have the certificate saved on your computer.
2
Make sure that the certificate has a “.cer” or “.crt” file name extension.
Figure 86
Certificates on Your Computer
Page 224 / 424
Chapter 15 Certificates
P-2612HNU-Fx User’s Guide
224
3
Double-click the certificate’s icon to open the
Certificate
window. Click the
Details
tab and scroll down to the
Thumbprint Algorithm
and
Thumbprint
fields.
Figure 87
Certificate Details
4
Use a secure method to verify that the certificate owner has the same information
in the
Thumbprint Algorithm
and
Thumbprint
fields. The secure method may
very based on your situation. Possible examples would be over the telephone or
through an HTTPS connection.
15.2
Local Certificates
Use this screen to view the ZyXEL Device’s summary list of certificates and
certification requests. You can import the following certificates to your ZyXEL
Device:
Web Server - This certificate secures HTTP connections.
SIP TLS - This certificate secures VoIP connections.
SSH/SCP/SFTP - This certificate secures remote connections.
Page 225 / 424
Chapter 15 Certificates
P-2612HNU-Fx User’s Guide
225
Click
Security >
Certificates
to open the
Local Certificates
screen.
Figure 88
Security > Certificates > Local Certificates
The following table describes the labels in this screen.
Table 53
Security > Certificates > Local Certificates
LABEL
DESCRIPTION
Web Server
Type in the location of the
Web Server
certificate file you want to
upload in this field or click
Browse
to find it.
Browse
Click
Browse
to find the certificate file you want to upload.
Current File
This field displays the name used to identify this certificate. It is
recommended that you give each certificate a unique name.
Subject
This field displays identifying information about the certificate’s owner,
such as
CN
(Common Name),
OU
(Organizational Unit or department),
O
(Organization or company) and
C
(Country). It is recommended that
each certificate have unique subject information.
Issuer
This field displays identifying information about the certificate’s issuing
certification authority, such as a common name, organizational unit or
department, organization or company and country.
Valid From
This field displays the date that the certificate becomes applicable. The
text displays in red and includes a
Not Yet Valid!
message if the
certificate has not yet become applicable.
Valid To
This field displays the date that the certificate expires. The text displays
in red and includes an
Expiring!
or
Expired!
message if the certificate
is about to expire or has already expired.
Cert
Click this button and then
Save
in the
File Download
screen. The
Save As
screen opens, browse to the location that you want to use and
click
Save
.
SSH/SCP/SFTP
Type in the location of the
SSH/SCP/SFTP
certificate file you want to
upload in this field or click
Browse
to find it.
Browse
Click
Browse
to find the certificate file you want to upload.
Current File
This field displays the name used to identify this certificate. It is
recommended that you give each certificate a unique name.

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top