Chapter 24 Certificates
AX/DX/EX/PX Series User’s Guide
340
Certification Authorities
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner.
There are commercial certification authorities like CyberTrust or VeriSign and government certification
authorities.
Public and Private Keys
When using public-key cryptology for authentication, each host has two keys. One key is public and can
be made openly available; the other key is private and must be kept secure. Public-key encryption in
general works as follows.
1 Tim wants to send a private message to Jenny. Tim generates a public-private key pair. What is
encrypted with one key can only be decrypted using the other.
2 Tim keeps the private key and makes the public key openly available.
3 Tim uses his private key to encrypt the message and sends it to Jenny.
4 Jenny receives the message and uses Tim’s public key to decrypt it.
5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s public key to
decrypt the message.
The Zyxel Device uses certificates based on public-key cryptology to authenticate users attempting to
establish a connection. The method used to secure the data that you send through an established
connection depends on the type of connection. For example, a VPN tunnel might use the triple DES
encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the certification
authority’s public key to verify the certificates.
Advantages of Certificates
Certificates offer the following benefits.
• The Zyxel Device only has to store the certificates of the certification authorities that you decide to
trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and you never
need to transmit private keys.
Certificate File Format
The certification authority certificate that you want to import has to be in PEM (Base-64) encoded X.509
file format. This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509
certificate into a printable form.
24.7.1 Verify a Certificate
Before you import a trusted CA or trusted remote host certificate into the Zyxel Device, you should verify
that you have the actual certificate. This is especially true of trusted CA certificates since the Zyxel
Device also trusts any valid certificate signed by any of the imported trusted CA certificates.
To Next Page
Loading...
