ZyXEL Communications ZyWALL 5 Support Notes page 62

ZyWALL 5 Support Notes
servers, and finally get a certificate for further usage. ZyWALL supports both SCEP and CMP protocols as
methods of online enrollment. Both SCEP and CMP online enrollment protocols provide secure mechanisms to
transmit ZyWALL's certification request securely over Internet. In this example, we adopt SCEP protocol to
enroll certificates.
Step 1. Download CA server's Certificate
Step 2. Create certificate request and enroll certificate request on ZyWALL A
Step 3. Create certificate request and enroll certificate request on ZyWALL B
Step 4. Using Certificate in VPN on ZyWALL A
Step 5. Using Certificate in VPN on ZyWALL B
LAN 1 ZyWALL A ZyWALL B LAN 2
LAN: 10.1.133.1 LAN: 192.168.2.1
10.1.133.0/24 192.168.2.0/24
WAN: 192.168.1.35 WAN: 192.168.1.36
Step 1. Download CA server's Certificate
The most critical part for online certification request would be we need to send the certification request over
Internet, which is an insecure environment. To prevent certification request from being modified or
eavesdropped, we need to download CA server's certificate in the first step. When ZyWALL delivers the
certification requests, the public key in CA server's certificate will be used to protect the data.
You may need to access CA server's WEB interface or contact the administrator to get CA's certificate. Then
you can go to SECURITY->CERTIFICATES->Trusted CAs to import the downloaded certificate.
62
All contents copyright (c) 2006 ZyXEL Communications Corporation.