Using Certificate For Device Authentication; Using Self-Signed Certificates - ZyXEL Communications ZyWall 35 Support Notes

ZyWALL 35 Support Notes

Using Certificate for Device Authentication

IKE must authenticate the identities of the systems using the Diffie-Hellman algorithm. This process is
known as primary authentication. IKE can use two primary authentication methods:
1) Digital Signatures
2) Pre-shared keys
Digital signature and public-key encryption are both based on asymmetric key encryption and require a
mechanism for distributing public keys. This is usually done using security certificates and a Public Key
Infrastructure (PKI).
If certificate (Digital Signatures) is used for authentication, there are five available types of identity: IP,
DNS, E-mail, Subject Name and Any.
Depending how certificates are generated, it can be classified into three methods:
1) Using Self-signed Certificates (both entities must be ZyXEL IPSec gateway)
2) Online Enroll Certificates
3) Offline Enroll Certificates
This example displays how to use PKI feature in VPN function of ZyXEL appliance. Through PKI
function, users can achieve party identification when doing VPN/IPSec negotiation.

Using Self-signed Certificates

For customers who don't have CA service support in their environment but would like to use PKI feature,
ZyWALL provides self-signed certificates to achieve this. As the name indicates, a self-signed certificate
is a certificate signed by the device (ZyWALL) itself.
ZyWALL has the feature to sign itself a so-called self-signed certificate which can be imported to other
ZyWALL for authentication. This feature allows users to use certificate without CA. The certificate must
be exchanged and imported into Trusted Remote Hosts before making a VPN connection.
78
All contents copyright (c) 2006 ZyXEL Communications Corporation.