Certificates
Certificates Overview
The Zyxel Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
What You Can Do in this Chapter
• Use the Local Certificates screen to view and import the Zyxel Device’s CA-signed (Certification Authority) certificates (Local Certificates).
• Use the Trusted CA screen to save the certificates of trusted CAs to the Zyxel Device. You can also export the certificates to a computer (Trusted CA).
What You Need to Know
The following terms and concepts may help as you read through this chapter.
Certification Authority
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. The certification authority uses its private key to sign certificates. Anyone can then use the certification authority's public key to verify the certificates. You can use the Zyxel Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority.
Local Certificates
Use this screen to view the Zyxel Device’s summary list of certificates, generate certification requests, and import signed certificates. You can import the following certificates to your Zyxel Device:
• Web Server – This certificate secures HTTP connections.
• SSH – This certificate secures remote connections.
Click Security > Certificates to open the Local Certificates screen.
Security > Certificates > Local Certificates
The following table describes the labels in this screen.
Label | Description |
|---|---|
Replace Private Key/Certificate file in PEM format | |
Private Key is protected by password | Select the checkbox and enter the private key into the text box to store it on the Zyxel Device. You can use up to 63 alphanumeric (0-9, a-z, A-Z) and special characters, including spaces. |
Choose File/Browse | Click this button to find the certificate file you want to upload. |
Import Certificate | Click this button to save the certificate that you have enrolled from a certification authority from your computer to the Zyxel Device. |
Create Certificate Request | Click this button to go to the screen where you can have the Zyxel Device generate a certification request. |
Current File | This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. |
Subject | This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have a unique subject information. |
Issuer | This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. |
Valid From | This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. |
Valid To | This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. |
Modify | Click the View icon to open a screen with an in-depth list of information about the certificate. For a certification request, click Load Signed to import the signed certificate. Click the Remove icon to remove the certificate (or certification request). A window displays asking you to confirm that you want to delete the certificate. Note that subsequent certificates move up by one when you take this action. |
Create Certificate Request
Click Security > Certificates > Local Certificates and then Create Certificate Request to open the following screen. Use this screen to have the Zyxel Device generate a certification request. To create a certificate signing request, you need to enter a common name, organization name, state or province name, and the default US two-letter country code (The US country code is by default and not changeable when sold in the U.S.) for the certificate.
Security > Certificates > Local Certificates: Create Certificate Request
The following table describes the labels in this screen.
Label | Description |
|---|---|
Certificate Name | Enter a descriptive name to identify this certificate. You can use up to 63 printable characters except [ " ], [ ` ], [ ' ], [ < ], [ > ], [ ^ ], [ $ ], [ | ], [ & ], or [ ; ]. Spaces are allowed. |
Common Name | Select Auto to have the Zyxel Device configure this field automatically. Or select Customize to enter it manually. Enter the IP address (in dotted decimal notation), domain name or email address in the field provided. You can use up to 63 printable characters except [ " ], [ ` ], [ ' ], [ < ], [ > ], [ ^ ], [ $ ], [ | ], [ & ], or [ ; ]. Spaces are allowed. The domain name or email address is for identification purposes only and can be any string. |
Organization Name | Enter a descriptive name to identify the company or group to which the certificate owner belongs. You can use up to 32 printable characters except [ " ], [ ` ], [ ' ], [ < ], [ > ], [ ^ ], [ $ ], [ | ], [ & ], or [ ; ]. Spaces are allowed. |
State/Province Name | Enter a descriptive name to identify the state or province where the certificate owner is located. You can use up to 32 printable characters except [ " ], [ ` ], [ ' ], [ < ], [ > ], [ ^ ], [ $ ], [ | ], [ & ], or [ ; ]. Spaces are allowed. |
Country/Region Name | Select a country to identify the nation where the certificate owner is located. |
Cancel | Click Cancel to exit this screen without saving. |
OK | Click OK to save your changes. |
View Certificate Request
Use this screen to view in-depth information about the certificate request. The Certificate is used to verify the authenticity of the certification authority. The Private Key serves as your digital signature for authentication and must be safely stored. The Signing Request contains the certificate signing request value that you will copy upon submitting the certificate request to the CA (certificate authority).
Click the View icon in the Local Certificates screen to open the following screen.
Security > Certificates > Local Certificates: View Certificate
The following table describes the fields in this screen.
Label | Description |
|---|---|
Name | This field displays the identifying name of this certificate. |
Type | This field displays general information about the certificate. ca means that a Certification Authority signed the certificate. |
Subject | This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). |
Certificate | This read-only text box displays the certificate in Privacy Enhanced Mail (PEM) format. PEM uses base 64 to convert the binary certificate into a printable form. You can copy and paste the certificate into an email to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution. |
Private Key | This field displays the private key of this certificate. |
Signing Request | This field displays the CSR (Certificate Signing Request) information of this certificate. The CSR will be provided to a certificate authority, and it includes information about the public key, organization name, domain name, location, and country of this certificate. |
Back | Click Back to return to the previous screen. |
Trusted CA
Click Security > Certificates > Trusted CA to open the following screen. This screen displays a summary list of certificates of the certification authorities that you have set the Zyxel Device to accept as trusted. The Zyxel Device accepts any valid certificate signed by a certification authority on this list as being trustworthy, which means you do not need to import any certificate that is signed by one of these certification authorities.
Security > Certificates > Trusted CA
The following table describes the labels in this screen.
Label | Description |
|---|---|
Import Certificate | Click this to open a screen where you can save the certificate of a certification authority that you trust to the Zyxel Device. |
# | This is the index number of the entry. |
Name | This field displays the name used to identify this certificate. |
Subject | This field displays information that identifies the owner of the certificate, such as Common Name (CN), OU (Organizational Unit or department), Organization (O), State (ST) and Country (C). It is recommended that each certificate have a unique subject information. |
Type | This field displays general information about the certificate. ca means that a Certification Authority signed the certificate. |
Modify | Click the View icon to open a screen with an in-depth list of information about the certificate (or certification request). Click the Remove icon to delete the certificate (or certification request). You cannot delete a certificate that one or more features is configured to use. |
Import Trusted CA Certificate
Click Import Certificate in the Trusted CA screen to open the Import Certificate screen. The Zyxel Device trusts any valid certificate signed by any of the imported trusted CA certificates. Certificates should be in one of the following formats: Binary X.509, PEM (base-64) encoded, Binary PKCS#7, or PEM (base-64) encoded PKCS#7.
You must remove any spaces from the certificate’s filename before you can import the certificate.Security > Certificates > Trusted CA > Import Certificate
The following table describes the labels in this screen.
Label | Description |
|---|---|
Certificate File Path | Enter the location of the file you want to upload in this field or click Choose File/Browse to find it. |
Choose File/Browse | Click this to find the certificate file you want to upload. |
OK | Click this to save the certificate on the Zyxel Device. |
Cancel | Click this to exit this screen without saving. |
View Trusted CA Certificate
Use this screen to view in-depth information about the certification authority’s certificate. The certificate text box is read-only and can be distributed to others.
Click Security > Certificates > Trusted CA to open the Trusted CA screen. Click the View icon to open the View Certificate screen.
Security > Certificates > Trusted CA > View Certificate
The following table describes the labels in this screen.
Label | Description |
|---|---|
Name | This field displays the identifying name of this certificate. |
This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form. You can copy and paste the certificate into an email to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (through USB thumb drive for example). | |
Back | Click this to return to the previous screen. |
Certificates Technical Reference
This section provides some technical background information about the topics covered in this chapter.
Certification Authorities
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities.
Public and Private Keys
When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available; the other key is private and must be kept secure. Public-key encryption in general works as follows.
1 Tim wants to send a private message to Jenny. Tim generates a public-private key pair. What is encrypted with one key can only be decrypted using the other.
2 Tim keeps the private key and makes the public key openly available.
3 Tim uses his private key to encrypt the message and sends it to Jenny.
4 Jenny receives the message and uses Tim’s public key to decrypt it.
5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s public key to decrypt the message.
The Zyxel Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.
Advantages of Certificates
Certificates offer the following benefits.
• The Zyxel Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.
Certificate File Format
The certification authority certificate that you want to import has to be in PEM (Base-64) encoded X.509 file format. This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form.
Verify a Certificate
Before you import a trusted CA or trusted remote host certificate into the Zyxel Device, you should verify that you have the actual certificate. This is especially true of trusted CA certificates since the Zyxel Device also trusts any valid certificate signed by any of the imported trusted CA certificates.
You can use a certificate’s fingerprint to verify it. A certificate’s fingerprint is a message digest calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate.
1 Browse to where you have the certificate saved on your computer.
2 Make sure that the certificate has a “.cer” or “.crt” file name extension.
Certificates on Your Computer
3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.
Certificate Details
Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may vary based on your situation. Possible examples would be over the telephone or through an HTTPS connection.