Zyxel P-663HN-51 Frontier Router Manual PDF (Setup & Configuration Guide)

Page 136 / 300 Scroll up to view Page 131 - 135

Chapter 17 Certificates

P-663HN-51 User’s Guide

136

17.2.1

Trusted CA Details

Use this screen to view in-depth information about the certification authority’s

certificate. Click

Advanced Setup > Certificate

to open the Trusted CAs screen.

Then click a certificate’s View button to open the details screen.

Figure 66

Trusted CA Details

The following table describes the labels in this screen.

Table 51

Trusted CA Details

LABEL

DESCRIPTION

Name

This field displays the identifying name of this certificate.

Type

This field displays general information about the certificate. CA-signed

means that a Certification Authority signed the certificate. Self-signed

means that the certificate’s owner signed the certificate (not a

certification authority).

“X.509” means that this certificate was

created and signed according to the ITU-T X.509 recommendation

that defines the formats for public-key certificates.

Subject

This field displays identifying information about the certificate’s

owner, such as CN (Common Name), OU (Organizational Unit or

department), O (Organization or company) and C (Country). It is

recommended that each certificate have unique subject information.

Certificate

This is the certificate’s information displayed in plain text.

Back

Click this to return to the previous screen.

Page 137 / 300

Chapter 17 Certificates

P-663HN-51 User’s Guide

137

17.2.2

Trusted CA Import

Click

Advanced Setup > Certificate

to open the

Trusted CA

screen and then

click

Import Certificate

to open the following screen. Use this screen to save a

trusted certification authority’s certificate to the ZyXEL Device.

Note: You must remove any spaces from the certificate’s filename before you can

import the certificate.

Figure 67

Trusted CA Import

The following table describes the labels in this screen.

17.3

Certificates Technical Reference

This section provides technical background information about the topics covered in

this chapter.

Table 52

Trusted CA Import

LABEL

DESCRIPTION

Certificate

Name

Enter the name of the CA certificate.

Certificate

Open the trusted CA certificate in notepad and copy its information and paste

it into this field.

Apply

Click this to save the certificate on the ZyXEL Device.

Page 138 / 300

Chapter 17 Certificates

P-663HN-51 User’s Guide

138

17.3.1

Certificates Overview

The ZyXEL Device can use certificates (also called digital IDs) to authenticate

users. Certificates are based on public-private key pairs. A certificate contains the

certificate owner’s identity and public key. Certificates provide a way to exchange

public keys for use in authentication.

The ZyXEL Device uses certificates based on public-key cryptology to authenticate

users attempting to establish a connection, not to encrypt the data that you send

after establishing a connection. The method used to secure the data that you send

through an established connection depends on the type of connection. For

example, a VPN tunnel might use the triple DES encryption algorithm.

The certification authority uses its private key to sign certificates. Anyone can then

use the certification authority’s public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that

validate a certificate. The ZyXEL Device does not trust a certificate if any

certificate on its path has expired or been revoked.

Certification authorities maintain directory servers with databases of valid and

revoked certificates. A directory of certificates that have been revoked before the

scheduled expiration is called a CRL (Certificate Revocation List). The ZyXEL

Device can check a peer’s certificate against a directory server’s list of revoked

certificates. The framework of servers, software, procedures and policies that

handles keys is called PKI (Public-Key Infrastructure).

Advantages of Certificates

Certificates offer the following benefits.

•

The ZyXEL Device only has to store the certificates of the certification

authorities that you decide to trust, no matter how many devices you need to

authenticate.

•

Key distribution is simple and very secure since you can freely distribute public

keys and you never need to transmit private keys.

Self-signed Certificates

You can have the ZyXEL Device act as a certification authority and sign its own

certificates.

Page 139 / 300

Chapter 17 Certificates

P-663HN-51 User’s Guide

139

17.3.2

Private-Public Certificates

When using public-key cryptology for authentication, each host has two keys. One

key is public and can be made openly available. The other key is private and must

be kept secure.

These keys work like a handwritten signature (in fact, certificates are often

referred to as “digital signatures”). Only you can write your signature exactly as it

should look. When people know what your signature looks like, they can verify

whether something was signed by you, or by someone else. In the same way, your

private key “writes” your digital signature and your public key allows people to

verify whether data was signed by you, or by someone else. This process works as

follows.

1

Tim wants to send a message to Jenny. He needs her to be sure that it comes from

him, and that the message content has not been altered by anyone else along the

way. Tim generates a public key pair (one public key and one private key).

2

Tim keeps the private key and makes the public key openly available. This means

that anyone who receives a message seeming to come from Tim can read it and

verify whether it is really from him or not.

3

Tim uses his private key to sign the message and sends it to Jenny.

4

Jenny receives the message and uses Tim’s public key to verify it. Jenny knows

that the message is from Tim, and that although other people may have been able

to read the message, no-one can have altered it (because they cannot re-sign the

message with Tim’s private key).

5

Additionally, Jenny uses her own private key to sign a message and Tim uses

Jenny’s public key to verify the message.

17.3.3

Verifying a Trusted Remote Host’s Certificate

Certificates issued by certification authorities have the certification authority’s

signature for you to check. Self-signed certificates only have the signature of the

host itself. This means that you must be very careful when deciding to import (and

thereby trust) a remote host’s self-signed certificate.

Trusted Remote Host Certificate Fingerprints

A certificate’s fingerprints are message digests calculated using the MD5 or SHA1

algorithms. The following procedure describes how to use a certificate’s fingerprint

to verify that you have the remote host’s correct certificate.

Page 140 / 300

Chapter 17 Certificates

P-663HN-51 User’s Guide

140

1

Browse to where you have the remote host’s certificate saved on your computer.

2

Make sure that the certificate has a “.cer” or “.crt” file name extension.

Figure 68

Remote Host Certificates

3

Double-click the certificate’s icon to open the

Certificate

window. Click the

Details

tab and scroll down to the

Thumbprint Algorithm

and

Thumbprint

fields.

Figure 69

Certificate Details

4

Verify (over the phone for example) that the remote host has the same

information in the

Thumbprint Algorithm

and

Thumbprint

fields.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share