1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 127
Page 631 / 944 Scroll up to view Page 626 - 630
Chapter 40 Authentication Method
ZyWALL USG 50 User’s Guide
631
Add icon
Click
Add
to add a new entry.
Click
Edit
to edit the settings of an entry.
Click
Delete
to delete an entry.
OK
Click
OK
to save the changes.
Cancel
Click
Cancel
to discard the changes.
Table 195
Configuration > Object > Auth. Method > Add (continued)
LABEL
DESCRIPTION
Page 632 / 944
Chapter 40 Authentication Method
ZyWALL USG 50 User’s Guide
632
Page 633 / 944
ZyWALL USG 50 User’s Guide
633
C
HAPTER
41
Certificates
41.1
Overview
The ZyWALL can use certificates (also called digital IDs) to authenticate users.
Certificates are based on public-private key pairs. A certificate contains the
certificate owner’s identity and public key. Certificates provide a way to exchange
public keys for use in authentication.
41.1.1
What You Can Do in this Chapter
Use the
My Certificate
screens (see
Section 41.2 on page 637
to
Section
41.2.3 on page 646
) to generate and export self-signed certificates or
certification requests and import the ZyWALL’s CA-signed certificates.
Use the
Trusted Certificates
screens (see
Section 41.3 on page 647
to
Section
41.3.2 on page 652
) to save CA certificates and trusted remote host certificates
to the ZyWALL. The ZyWALL trusts any valid certificate that you have imported
as a trusted certificate. It also trusts any valid certificate signed by any of the
certificates that you have imported as a trusted certificate.
41.1.2
What You Need to Know
When using public-key cryptology for authentication, each host has two keys. One
key is public and can be made openly available. The other key is private and must
be kept secure.
These keys work like a handwritten signature (in fact, certificates are often
referred to as “digital signatures”). Only you can write your signature exactly as it
should look. When people know what your signature looks like, they can verify
whether something was signed by you, or by someone else. In the same way, your
private key “writes” your digital signature and your public key allows people to
verify whether data was signed by you, or by someone else. This process works as
follows.
1
Tim wants to send a message to Jenny. He needs her to be sure that it comes from
him, and that the message content has not been altered by anyone else along the
way. Tim generates a public key pair (one public key and one private key).
Page 634 / 944
Chapter 41 Certificates
ZyWALL USG 50 User’s Guide
634
2
Tim keeps the private key and makes the public key openly available. This means
that anyone who receives a message seeming to come from Tim can read it and
verify whether it is really from him or not.
3
Tim uses his private key to sign the message and sends it to Jenny.
4
Jenny receives the message and uses Tim’s public key to verify it. Jenny knows
that the message is from Tim, and that although other people may have been able
to read the message, no-one can have altered it (because they cannot re-sign the
message with Tim’s private key).
5
Additionally, Jenny uses her own private key to sign a message and Tim uses
Jenny’s public key to verify the message.
The ZyWALL uses certificates based on public-key cryptology to authenticate users
attempting to establish a connection, not to encrypt the data that you send after
establishing a connection. The method used to secure the data that you send
through an established connection depends on the type of connection. For
example, a VPN tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then
use the certification authority’s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that
validate a certificate. The ZyWALL does not trust a certificate if any certificate on
its path has expired or been revoked.
Certification authorities maintain directory servers with databases of valid and
revoked certificates. A directory of certificates that have been revoked before the
scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can
check a peer’s certificate against a directory server’s list of revoked certificates.
The framework of servers, software, procedures and policies that handles keys is
called PKI (public-key infrastructure).
Advantages of Certificates
Certificates offer the following benefits.
The ZyWALL only has to store the certificates of the certification authorities that
you decide to trust, no matter how many devices you need to authenticate.
Key distribution is simple and very secure since you can freely distribute public
keys and you never need to transmit private keys.
Self-signed Certificates
You can have the ZyWALL act as a certification authority and sign its own
certificates.
Page 635 / 944
Chapter 41 Certificates
ZyWALL USG 50 User’s Guide
635
Factory Default Certificate
The ZyWALL generates its own unique self-signed certificate when you first turn it
on. This certificate is referred to in the GUI as the factory default certificate.
Certificate File Formats
Any certificate that you want to import has to be in one of these file formats:
Binary X.509: This is an ITU-T recommendation that defines the formats for
X.509 certificates.
PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses
lowercase letters, uppercase letters and numerals to convert a binary X.509
certificate into a printable form.
Binary PKCS#7: This is a standard that defines the general syntax for data
(including digital signatures) that may be encrypted. A PKCS #7 file is used to
transfer a public key certificate. The private key is not included. The ZyWALL
currently allows the importation of a PKS#7 file that contains a single
certificate.
PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses
lowercase letters, uppercase letters and numerals to convert a binary PKCS#7
certificate into a printable form.
Binary PKCS#12: This is a format for transferring public key and private key
certificates.The private key in a PKCS #12 file is within a password-encrypted
envelope. The file’s password is not connected to your certificate’s public or
private passwords. Exporting a PKCS #12 file creates this and you must provide
it to decrypt the contents when you import the file into the ZyWALL.
Note: Be careful not to convert a binary file to text during the transfer process. It is
easy for this to occur since many programs use text files by default.
Finding Out More
See
Section 6.6 on page 105
for related information on these screens.
See
Section 41.4 on page 653
for certificate background information.
41.1.3
Verifying a Certificate
Before you import a trusted certificate into the ZyWALL, you should verify that you
have the correct certificate. You can do this using the certificate’s fingerprint.
A
certificate’s fingerprint is a message digest calculated using the MD5 or SHA1
algorithm. The following procedure describes how to check a certificate’s
fingerprint to verify that you have the actual certificate.
1
Browse to where you have the certificate saved on your computer.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top