Self-Signed Certificates; Configuration Summary - ZyXEL Communications ZyWall 10W User Manual

ZyWALL Series Internet Security Gateway
The ZyWALL uses certificates based on public-key cryptology to authenticate users attempting to establish
a connection, not to encrypt the data that you send after establishing a connection. The method used to
secure the data that you send through an established connection depends on the type of connection. For
example, a VPN tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the certification
authority's public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a certificate. The
ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked.
Certification authorities maintain directory servers with databases of valid and revoked certificates. A
directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate
Revocation List). The ZyWALL can check a peer's certificate against a directory server's list of revoked
certificates. The framework of servers, software, procedures and policies that handles keys is called PKI
(public-key infrastructure).
16.1.1 Advantages of Certificates
Certificates offer the following benefits.
The ZyWALL only has to store the certificates of the certification authorities that you decide to
trust, no matter how many devices you need to authenticate.
Key distribution is simple and very secure since you can freely distribute public keys and you
never need to transmit private keys.

16.2 Self-signed Certificates

Until public-key infrastructure becomes more mature, it may not be available in some areas. You can have
the ZyWALL act as a certification authority and sign its own certificates.

16.3 Configuration Summary

This section summarizes how to manage certificates on the ZyWALL.
16-2 Certificates