Advantages Of Certificates; Self-Signed Certificates; Factory Default Certificate; Certificate File Formats - ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual

Chapter 40 Certificates
Certification authorities maintain directory servers with databases of valid and revoked
certificates. A directory of certificates that have been revoked before the scheduled expiration
is called a CRL (Certificate Revocation List). The ZyWALL can check a peer's certificate
against a directory server's list of revoked certificates. The framework of servers, software,
procedures and policies that handles keys is called PKI (public-key infrastructure).

40.1.1 Advantages of Certificates

Certificates offer the following benefits.
• The ZyWALL only has to store the certificates of the certification authorities that you
decide to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and
you never need to transmit private keys.

40.2 Self-signed Certificates

Until public-key infrastructure becomes more mature, it may not be available in some areas.
You can have the ZyWALL act as a certification authority and sign its own certificates.

40.3 Factory Default Certificate

The ZyWALL generates its own unique self-signed certificate when you first turn it on. This
certificate is referred to in the GUI as the factory default certificate.

40.3.1 Certificate File Formats

Any certificate that you want to import has to be in one of these file formats:
• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509
certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII
characters to convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including
digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key
certificate. The private key is not included. The ZyWALL currently allows the importation
of a PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64
ASCII characters to convert a binary PKCS#7 certificate into a printable form.
• Binary PKCS#12: This is a format for transferring public key and private key
certificates.The private key in a PKCS #12 file is within a password-encrypted envelope.
The file's password is not connected to your certificate's public or private passwords.
Exporting a PKCS #12 file creates this and you must provide it decrypt the contents when
you import the file into the ZyWALL.
546
ZyWALL USG 300 User's Guide