ZyXEL Communications P-660HN-F1 12.6Certificates Technical Reference, 12.6.1 Certificates Overview

Chapter 12 Certificates

Table 77 Directory Server Add and Edit (continued)

LABEL	DESCRIPTION
Login	The ZyXEL Device may need to authenticate itself in order to assess the directory
	server. Type the login name (up to 31 ASCII characters) from the entity
	maintaining the directory server (usually a certification authority).

Password	Type the password (up to 31 ASCII characters) from the entity maintaining the
	directory server (usually a certification authority).

Back	Click this to return to the Directory Servers screen.

Apply	Click this to save your changes.

Cancel	Click this to restore your previously saved settings.

A.At the time of writing, LDAP is the only choice of directory server access protocol.

12.6Certificates Technical Reference

This section provides technical background information about the topics covered in this chapter.

12.6.1 Certificates Overview

The ZyXEL Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.

The ZyXEL Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.

The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked.

Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyXEL Device can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (Public-Key Infrastructure).

Advantages of Certificates

Certificates offer the following benefits.

•The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.

208
208	P-660HN-F1 User’s Guide