ZyXEL Communications P660HN-Fx User Manual
Chapter 15 Certificates
ADSL Series User’s Guide
194
The ZyXEL Device uses certificates based on public-key cryptology to authenticate users attempting
to establish a connection. The method used to secure the data that you send through an
established connection depends on the type of connection. For example, a VPN tunnel might use
the triple DES encryption algorithm.
to establish a connection. The method used to secure the data that you send through an
established connection depends on the type of connection. For example, a VPN tunnel might use
the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the
certification authority’s public key to verify the certificates.
certification authority’s public key to verify the certificates.
Certification Path
A certification path is the hierarchy of certification authority certificates that validate a certificate.
The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been
revoked.
The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been
revoked.
Certificate Directory Servers
Certification authorities maintain directory servers with databases of valid and revoked certificates.
A directory of certificates that have been revoked before the scheduled expiration is called a CRL
(Certificate Revocation List). The ZyXEL Device can check a peer’s certificate against a directory
server’s list of revoked certificates. The framework of servers, software, procedures and policies
that handles keys is called PKI (public-key infrastructure).
A directory of certificates that have been revoked before the scheduled expiration is called a CRL
(Certificate Revocation List). The ZyXEL Device can check a peer’s certificate against a directory
server’s list of revoked certificates. The framework of servers, software, procedures and policies
that handles keys is called PKI (public-key infrastructure).
Advantages of Certificates
Certificates offer the following benefits.
• The ZyXEL Device only has to store the certificates of the certification authorities that you decide
to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and you
never need to transmit private keys.
Certificate File Formats
The certification authority certificate that you want to import has to be in one of these file formats:
• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to
convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital
signatures) that may be encrypted. The ZyXEL Device currently allows the importation of a
PKS#7 file that contains a single certificate.
PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII
characters to convert a binary PKCS#7 certificate into a printable form.
Note: Be careful not to convert a binary file to text during the transfer process. It is easy
for this to occur since many programs use text files by default.