Page 136 / 300 Scroll up to view Page 131 - 135
Chapter 17 Certificates
P-663HN-51 User’s Guide
136
17.2.1
Trusted CA Details
Use this screen to view in-depth information about the certification authority’s
certificate. Click
Advanced Setup > Certificate
to open the Trusted CAs screen.
Then click a certificate’s View button to open the details screen.
Figure 66
Trusted CA Details
The following table describes the labels in this screen.
Table 51
Trusted CA Details
LABEL
DESCRIPTION
Name
This field displays the identifying name of this certificate.
Type
This field displays general information about the certificate. CA-signed
means that a Certification Authority signed the certificate. Self-signed
means that the certificate’s owner signed the certificate (not a
certification authority).
“X.509” means that this certificate was
created and signed according to the ITU-T X.509 recommendation
that defines the formats for public-key certificates.
Subject
This field displays identifying information about the certificate’s
owner, such as CN (Common Name), OU (Organizational Unit or
department), O (Organization or company) and C (Country). It is
recommended that each certificate have unique subject information.
Certificate
This is the certificate’s information displayed in plain text.
Back
Click this to return to the previous screen.
Page 137 / 300
Chapter 17 Certificates
P-663HN-51 User’s Guide
137
17.2.2
Trusted CA Import
Click
Advanced Setup > Certificate
to open the
Trusted CA
screen and then
click
Import Certificate
to open the following screen. Use this screen to save a
trusted certification authority’s certificate to the ZyXEL Device.
Note: You must remove any spaces from the certificate’s filename before you can
import the certificate.
Figure 67
Trusted CA Import
The following table describes the labels in this screen.
17.3
Certificates Technical Reference
This section provides technical background information about the topics covered in
this chapter.
Table 52
Trusted CA Import
LABEL
DESCRIPTION
Certificate
Name
Enter the name of the CA certificate.
Certificate
Open the trusted CA certificate in notepad and copy its information and paste
it into this field.
Apply
Click this to save the certificate on the ZyXEL Device.
Page 138 / 300
Chapter 17 Certificates
P-663HN-51 User’s Guide
138
17.3.1
Certificates Overview
The ZyXEL Device can use certificates (also called digital IDs) to authenticate
users. Certificates are based on public-private key pairs. A certificate contains the
certificate owner’s identity and public key. Certificates provide a way to exchange
public keys for use in authentication.
The ZyXEL Device uses certificates based on public-key cryptology to authenticate
users attempting to establish a connection, not to encrypt the data that you send
after establishing a connection. The method used to secure the data that you send
through an established connection depends on the type of connection. For
example, a VPN tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then
use the certification authority’s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that
validate a certificate. The ZyXEL Device does not trust a certificate if any
certificate on its path has expired or been revoked.
Certification authorities maintain directory servers with databases of valid and
revoked certificates. A directory of certificates that have been revoked before the
scheduled expiration is called a CRL (Certificate Revocation List). The ZyXEL
Device can check a peer’s certificate against a directory server’s list of revoked
certificates. The framework of servers, software, procedures and policies that
handles keys is called PKI (Public-Key Infrastructure).
Advantages of Certificates
Certificates offer the following benefits.
The ZyXEL Device only has to store the certificates of the certification
authorities that you decide to trust, no matter how many devices you need to
authenticate.
Key distribution is simple and very secure since you can freely distribute public
keys and you never need to transmit private keys.
Self-signed Certificates
You can have the ZyXEL Device act as a certification authority and sign its own
certificates.
Page 139 / 300
Chapter 17 Certificates
P-663HN-51 User’s Guide
139
17.3.2
Private-Public Certificates
When using public-key cryptology for authentication, each host has two keys. One
key is public and can be made openly available. The other key is private and must
be kept secure.
These keys work like a handwritten signature (in fact, certificates are often
referred to as “digital signatures”). Only you can write your signature exactly as it
should look. When people know what your signature looks like, they can verify
whether something was signed by you, or by someone else. In the same way, your
private key “writes” your digital signature and your public key allows people to
verify whether data was signed by you, or by someone else. This process works as
follows.
1
Tim wants to send a message to Jenny. He needs her to be sure that it comes from
him, and that the message content has not been altered by anyone else along the
way. Tim generates a public key pair (one public key and one private key).
2
Tim keeps the private key and makes the public key openly available. This means
that anyone who receives a message seeming to come from Tim can read it and
verify whether it is really from him or not.
3
Tim uses his private key to sign the message and sends it to Jenny.
4
Jenny receives the message and uses Tim’s public key to verify it. Jenny knows
that the message is from Tim, and that although other people may have been able
to read the message, no-one can have altered it (because they cannot re-sign the
message with Tim’s private key).
5
Additionally, Jenny uses her own private key to sign a message and Tim uses
Jenny’s public key to verify the message.
17.3.3
Verifying a Trusted Remote Host’s Certificate
Certificates issued by certification authorities have the certification authority’s
signature for you to check. Self-signed certificates only have the signature of the
host itself. This means that you must be very careful when deciding to import (and
thereby trust) a remote host’s self-signed certificate.
Trusted Remote Host Certificate Fingerprints
A certificate’s fingerprints are message digests calculated using the MD5 or SHA1
algorithms. The following procedure describes how to use a certificate’s fingerprint
to verify that you have the remote host’s correct certificate.
Page 140 / 300
Chapter 17 Certificates
P-663HN-51 User’s Guide
140
1
Browse to where you have the remote host’s certificate saved on your computer.
2
Make sure that the certificate has a “.cer” or “.crt” file name extension.
Figure 68
Remote Host Certificates
3
Double-click the certificate’s icon to open the
Certificate
window. Click the
Details
tab and scroll down to the
Thumbprint Algorithm
and
Thumbprint
fields.
Figure 69
Certificate Details
4
Verify (over the phone for example) that the remote host has the same
information in the
Thumbprint Algorithm
and
Thumbprint
fields.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top