Zyxel P-660HN-F1Z Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Zyxel

P-660HN-F1Z

Page 206 / 421 Scroll up to view Page 201 - 205

Chapter 12 Certificates

P-660HN-FxZ Series User’s Guide

203

Version

This field displays the X.509 version number.

Serial Number

This field displays the certificate’s identification number given by the device

that created the certificate.

Subject

This field displays information that identifies the owner of the certificate, such

as Common Name (CN), Organizational Unit (OU), Organization (O) and

Country (C).

Issuer

This field displays identifying information about the default self-signed

certificate on the ZyXEL Device that the ZyXEL Device uses to sign the trusted

remote host certificates.

Signature Algorithm

This field displays the type of algorithm that the ZyXEL Device used to sign the

certificate, which is rsa-pkcs1-sha1 (RSA public-private key encryption

algorithm and the SHA1 hash algorithm).

Valid From

This field displays the date that the certificate becomes applicable. The text

displays in red and includes a Not Yet Valid! message if the certificate has not

yet become applicable.

Valid To

This field displays the date that the certificate expires. The text displays in red

and includes an Expiring! or Expired! message if the certificate is about to

expire or has already expired.

Key Algorithm

This field displays the type of algorithm that was used to generate the

certificate’s key pair (the ZyXEL Device uses RSA encryption) and the length

of the key set in bits (1024 bits for example).

Subject Alternative

Name

This field displays the certificate’s owner‘s IP address (IP), domain name

(DNS) or e-mail address (EMAIL).

Key Usage

This field displays for what functions the certificate’s key can be used. For

example, “DigitalSignature” means that the key can be used to sign certificates

and “KeyEncipherment” means that the key can be used to encrypt text.

Basic Constraint

This field displays general information about the certificate. For example,

Subject Type=CA means that this is a certification authority’s certificate and

“Path Length Constraint=1” means that there can only be one certification

authority in the certificate’s path.

MD5 Fingerprint

This is the certificate’s message digest that the ZyXEL Device calculated using

the MD5 algorithm. You cannot use this value to verify that this is the remote

host’s correct certificate because the ZyXEL Device has signed the certificate;

thus causing this value to be different from that of the remote host’s correct

certificate. See

Section 12.6.3 on page 207

for how to verify a remote host’s

certificate.

SHA1 Fingerprint

This is the certificate’s message digest that the ZyXEL Device calculated using

the SHA1 algorithm. You cannot use this value to verify that this is the remote

host’s correct certificate because the ZyXEL Device has signed the certificate;

thus causing this value to be different from that of the remote host’s correct

certificate. See

Section 12.6.3 on page 207

for how to verify a remote host’s

certificate.

Certificate in PEM

(Base-64) Encoded

Format

This read-only text box displays the certificate or certification request in Privacy

Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the

binary certificate into a printable form.

You can copy and paste the certificate into an e-mail to send to friends or

colleagues or you can copy and paste the certificate into a text editor and save

the file on a management computer for later distribution (via floppy disk for

example).

Back

Click this to return to the previous screen without saving.

Export

Click this and then

Save

in the

File Download

screen. The

Save As

screen

opens, browse to the location that you want to use and click

Save

Table 75

Trusted Remote Host Details (continued)

LABEL

DESCRIPTION

Page 207 / 421

Chapter 12 Certificates

P-660HN-FxZ Series User’s Guide

204

12.5

The Directory Servers Screens

This screen displays a summary list of directory servers (that contain lists of valid and revoked

certificates) that have been saved into the ZyXEL Device. If you decide to have the ZyXEL

Device check incoming certificates against the issuing certification authority’s list of revoked

certificates, the ZyXEL Device first checks the server(s) listed in the

CRL Distribution

Points

field of the incoming certificate. If the certificate does not list a server or the listed

server is not available, the ZyXEL Device checks the servers listed here. Click

Security

Certificates

Directory Servers

to open the

Directory Servers

screen.

Figure 118

Directory Servers

The following table describes the labels in this screen.

Apply

Click this to save your changes. You can only change the name of the

certificate.

Cancel

Click this to restore your previously saved settings.

Table 75

Trusted Remote Host Details (continued)

LABEL

DESCRIPTION

Table 76

Directory Servers

LABEL

DESCRIPTION

PKI Storage

Space in Use

This bar displays the percentage of the ZyXEL Device’s PKI storage space that is

currently in use. The bar turns from green to red when the maximum is being

approached. When the bar is red, you should consider deleting expired or

unnecessary certificates before adding more certificates.

The index number of the directory server. The servers are listed in alphabetical

order.

Name

This field displays the name used to identify this directory server.

Address

This field displays the IP address or domain name of the directory server.

Port

This field displays the port number that the directory server uses.

Protocol

This field displays the protocol that the directory server uses.

Page 208 / 421

Chapter 12 Certificates

P-660HN-FxZ Series User’s Guide

205

12.5.1

Directory Server Add and Edit

Use this screen to configure information about a directory server that the ZyXEL Device can

access. Click

Security

Certificates

Directory Servers

to open the

Directory Servers

screen. Click

Add

(or the details

icon) to open the

Directory Server Add

screen.

Figure 119

Directory Server Add and Edit

The following table describes the labels in this screen.

Modify

Click the Edit

icon to open a screen where you can change the information about

the directory server.

Click the Remove

icon to remove the directory server entry. A window displays

asking you to confirm that you want to delete the directory server. Note that

subsequent certificates move up by one when you take this action.

Add

Click this to open a screen where you can configure information about a directory

server so that the ZyXEL Device can access it.

Table 76

Directory Servers

LABEL

DESCRIPTION

Table 77

Directory Server Add and Edit

LABEL

DESCRIPTION

Directory Service Setting

Name

Type up to 31 ASCII characters (spaces are not permitted) to identify this

directory server.

Access Protocol

Use the drop-down list box to select the access protocol used by the directory

server.

LDAP

(Lightweight Directory Access Protocol) is a protocol over TCP that

specifies how clients access directories of certificates and lists of revoked

certificates.

Server Address

Type the IP address (in dotted decimal notation) or the domain name of the

directory server.

Server Port

This field displays the default server port number of the protocol that you select in

the

Access Protocol

field.

You may change the server port number if needed, however you must use the

same server port number that the directory server uses.

389 is the default server port number for LDAP.

Page 209 / 421

Chapter 12 Certificates

P-660HN-FxZ Series User’s Guide

206

12.6

Certificates Technical Reference

This section provides technical background information about the topics covered in this

chapter.

12.6.1

Certificates Overview

The ZyXEL Device can use certificates (also called digital IDs) to authenticate users.

Certificates are based on public-private key pairs. A certificate contains the certificate owner’s

identity and public key. Certificates provide a way to exchange public keys for use in

authentication.

The ZyXEL Device uses certificates based on public-key cryptology to authenticate users

attempting to establish a connection, not to encrypt the data that you send after establishing a

connection. The method used to secure the data that you send through an established

connection depends on the type of connection. For example, a VPN tunnel might use the triple

DES encryption algorithm.

The certification authority uses its private key to sign certificates. Anyone can then use the

certification authority’s public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that validate a

certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has

expired or been revoked.

Certification authorities maintain directory servers with databases of valid and revoked

certificates. A directory of certificates that have been revoked before the scheduled expiration

is called a CRL (Certificate Revocation List). The ZyXEL Device can check a peer’s

certificate against a directory server’s list of revoked certificates. The framework of servers,

software, procedures and policies that handles keys is called PKI (Public-Key Infrastructure).

Advantages of Certificates

Certificates offer the following benefits.

•

The ZyXEL Device only has to store the certificates of the certification authorities that

you decide to trust, no matter how many devices you need to authenticate.

The ZyXEL Device may need to authenticate itself in order to assess the directory

server. Type the login name (up to 31 ASCII characters) from the entity

maintaining the directory server (usually a certification authority).

Password

Type the password (up to 31 ASCII characters) from the entity maintaining the

directory server (usually a certification authority).

Back

Click this to return to the

Directory Servers

screen.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

At the time of writing, LDAP is the only choice of directory server access protocol.

Table 77

Directory Server Add and Edit (continued)

LABEL

DESCRIPTION

Page 210 / 421

Chapter 12 Certificates

P-660HN-FxZ Series User’s Guide

207

•

Key distribution is simple and very secure since you can freely distribute public keys and

you never need to transmit private keys.

Self-signed Certificates

You can have the ZyXEL Device act as a certification authority and sign its own certificates.

12.6.2

Private-Public Certificates

When using public-key cryptology for authentication, each host has two keys. One key is

public and can be made openly available. The other key is private and must be kept secure.

These keys work like a handwritten signature (in fact, certificates are often referred to as

“digital signatures”). Only you can write your signature exactly as it should look. When

people know what your signature looks like, they can verify whether something was signed by

you, or by someone else. In the same way, your private key “writes” your digital signature and

your public key allows people to verify whether data was signed by you, or by someone else.

This process works as follows.

Tim wants to send a message to Jenny. He needs her to be sure that it comes from him,

and that the message content has not been altered by anyone else along the way. Tim

generates a public key pair (one public key and one private key).

Tim keeps the private key and makes the public key openly available. This means that

anyone who receives a message seeming to come from Tim can read it and verify

whether it is really from him or not.

Tim uses his private key to sign the message and sends it to Jenny.

Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the

message is from Tim, and that although other people may have been able to read the

message, no-one can have altered it (because they cannot re-sign the message with Tim’s

private key).

Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s

public key to verify the message.

12.6.3

Verifying a Trusted Remote Host’s Certificate

Certificates issued by certification authorities have the certification authority’s signature for

you to check. Self-signed certificates only have the signature of the host itself. This means that

you must be very careful when deciding to import (and thereby trust) a remote host’s self-

signed certificate.

Trusted Remote Host Certificate Fingerprints

A certificate’s fingerprints are message digests calculated using the MD5 or SHA1 algorithms.

The following procedure describes how to use a certificate’s fingerprint to verify that you have

the remote host’s correct certificate.

Browse to where you have the remote host’s certificate saved on your computer.

Make sure that the certificate has a “.cer” or “.crt” file name extension.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share