Zyxel P-660R-F1 Router Manual PDF (Setup & Configuration Guide)

Page 136 / 268 Scroll up to view Page 131 - 135

Chapter 9 Certificates

P-660R-F1 Series User’s Guide

136

9.5.1

Directory Server Add and Edit

Use this screen to configure information about a directory server that the ZyXEL Device can access.

Click

Security > Certificates > Directory Servers

to open the

Directory Servers

screen. Click

Add

(or the details icon) to open the

Directory Server Add

screen.

Figure 82

Directory Server Add and Edit

The following table describes the labels in this screen.

Table 52

Directory Server Add and Edit

Modify

Click the Edit

icon to open a screen where you can change the information about

the directory server.

Click the Remove

icon to remove the directory server entry. A window displays

asking you to confirm that you want to delete the directory server. Note that

subsequent certificates move up by one when you take this action.

Add

Click this to open a screen where you can configure information about a directory

server so that the ZyXEL Device can access it.

LABEL

DESCRIPTION

LABEL

DESCRIPTION

Directory Service Setting

Name

Type up to 31 ASCII characters (spaces are not permitted) to identify this

directory server.

Access Protocol

Use the drop-down list box to select the access protocol used by the directory

server.

LDAP

(Lightweight Directory Access Protocol) is a protocol over TCP that

specifies how clients access directories of certificates and lists of revoked

certificates.

1

Server Address

Type the IP address (in dotted decimal notation) or the domain name of the

directory server.

Page 137 / 268

Chapter 9 Certificates

P-660R-F1 Series User’s Guide

137

9.6

Certificates Technical Reference

This section provides technical background information about the topics covered in this chapter.

9.6.1

Certificates Overview

The ZyXEL Device can use certificates (also called digital IDs) to authenticate users. Certificates are

based on public-private key pairs. A certificate contains the certificate owner’s identity and public

key. Certificates provide a way to exchange public keys for use in authentication.

The ZyXEL Device uses certificates based on public-key cryptology to authenticate users attempting

to establish a connection, not to encrypt the data that you send after establishing a connection. The

method used to secure the data that you send through an established connection depends on the

type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.

The certification authority uses its private key to sign certificates. Anyone can then use the

certification authority’s public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that validate a certificate.

The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been

revoked.

Certification authorities maintain directory servers with databases of valid and revoked certificates.

A directory of certificates that have been revoked before the scheduled expiration is called a CRL

(Certificate Revocation List). The ZyXEL Device can check a peer’s certificate against a directory

server’s list of revoked certificates. The framework of servers, software, procedures and policies

that handles keys is called PKI (Public-Key Infrastructure).

Server Port

This field displays the default server port number of the protocol that you select

in the

Access Protocol

field.

You may change the server port number if needed, however you must use the

same server port number that the directory server uses.

389 is the default server port number for LDAP.

Login Setting

Login

The ZyXEL Device may need to authenticate itself in order to assess the

directory server. Type the login name (up to 31 ASCII characters) from the

entity maintaining the directory server (usually a certification authority).

Password

Type the password (up to 31 ASCII characters) from the entity maintaining the

directory server (usually a certification authority).

Back

Click this to return to the

Directory Servers

screen.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

1.

At the time of writing, LDAP is the only choice of directory server access protocol.

LABEL

DESCRIPTION

Page 138 / 268

Chapter 9 Certificates

P-660R-F1 Series User’s Guide

138

Advantages of Certificates

Certificates offer the following benefits.

•

The ZyXEL Device only has to store the certificates of the certification authorities that you decide

to trust, no matter how many devices you need to authenticate.

•

Key distribution is simple and very secure since you can freely distribute public keys and you

never need to transmit private keys.

Self-signed Certificates

You can have the ZyXEL Device act as a certification authority and sign its own certificates.

9.6.2

Private-Public Certificates

When using public-key cryptology for authentication, each host has two keys. One key is public and

can be made openly available. The other key is private and must be kept secure.

These keys work like a handwritten signature (in fact, certificates are often referred to as “digital

signatures”). Only you can write your signature exactly as it should look. When people know what

your signature looks like, they can verify whether something was signed by you, or by someone

else. In the same way, your private key “writes” your digital signature and your public key allows

people to verify whether data was signed by you, or by someone else. This process works as

follows.

1

Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that

the message content has not been altered by anyone else along the way. Tim generates a public

key pair (one public key and one private key).

2

Tim keeps the private key and makes the public key openly available. This means that anyone who

receives a message seeming to come from Tim can read it and verify whether it is really from him

or not.

3

Tim uses his private key to sign the message and sends it to Jenny

.

4

Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is

from Tim, and that although other people may have been able to read the message, no-one can

have altered it (because they cannot re-sign the message with Tim’s private key).

5

Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to

verify the message.

9.6.3

Verifying a Trusted Remote Host’s Certificate

Certificates issued by certification authorities have the certification authority’s signature for you to

check. Self-signed certificates only have the signature of the host itself. This means that you must

be very careful when deciding to import (and thereby trust) a remote host’s self-signed certificate.

Page 139 / 268

Chapter 9 Certificates

P-660R-F1 Series User’s Guide

139

Trusted Remote Host Certificate Fingerprints

A certificate’s fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The

following procedure describes how to use a certificate’s fingerprint to verify that you have the

remote host’s correct certificate.

1

Browse to where you have the remote host’s certificate saved on your computer.

2

Make sure that the certificate has a “.cer” or “.crt” file name extension.

Figure 83

Remote Host Certificates

3

Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll

down to the Thumbprint Algorithm and Thumbprint fields.

Figure 84

Certificate Details

4

Verify (over the phone for example) that the remote host has the same information in the

Thumbprint Algorithm

and

Thumbprint

fields.

Page 140 / 268

Chapter 9 Certificates

P-660R-F1 Series User’s Guide

140

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share