Chapter 15 Certificates
Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI
15.1.1 Advantages of Certificates
Certificates offer the following benefits.
•The ZyWALL only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
•Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.
15.2Self-signed Certificates
You can have the ZyWALL act as a certification authority and sign its own certificates.
15.3 Verifying a Certificate
Before you import a trusted CA or trusted remote host certificate into the ZyWALL, you should verify that you have the actual certificate. This is especially true of trusted CA certificates since the ZyWALL also trusts any valid certificate signed by any of the imported trusted CA certificates.
15.3.1 Checking the Fingerprint of a Certificate on Your Computer
A certificate’s fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate.
1Browse to where you have the certificate saved on your computer.
2Make sure that the certificate has a “.cer” or “.crt” file name extension.
Figure 195 Certificates on Your Computer
3
296 |
| |
ZyWALL 2 Plus User’s Guide |
| |
|
|
|