Online Enroll Certificates

This example displays how to use PKI feature in VPN function of ZyXEL appliance. Through PKI function, users can achieve party identification when doing VPN/IPSec negotiation. With online enrollment, ZyWALL firstly create certification request locally, then send certification request to trusted CA (Certificate Authority) servers, and finally get a certificate for further usage. ZyWALL supports both SCEP and CMP protocols as methods of online enrollment. Both SCEP and CMP online enrollment protocols provide secure mechanisms to transmit ZyWALL's certification request securely over Internet. In this example, we adopt SCEP protocol to enroll certificates. 

Step 1. Download CA server's Certificate
Step 2. Create certificate request and enroll certificate request on ZyWALL A
Step 3. Create certificate request and enroll certificate request on ZyWALL B
Step 4. Using Certificate in VPN on ZyWALL A
Step 5. Using Certificate in VPN on ZyWALL B

LAN 1

ZyWALL A

ZyWALL B

LAN 2

10.1.133.0/24

LAN: 10.1.133.1
WAN:  192.168.1.35

LAN: 192.168.2.1
WAN: 192.168.1.36

192.168.2.0/24

Step 1. Download CA server's Certificate        top

The most critical part for online certification request would be we need to send the certification request over Internet, which is an insecure environment. To prevent certification request from being modified or eavesdropped, we need to download CA server's certificate in the first step. When ZyWALL delivers the certification requests, the public key in CA server's certificate will be used to protect the data.

You may need to access CA server's WEB interface or contact the administrator to get CA's certificate. Then you can go to SECURITY->CERTIFICATES->Trusted CAs to import the downloaded certificate.

Step 2. Create certificate request and enroll certificate request on ZyWALL A    top

  1. Input a name, for this Certificate so you can identify this Certificate later. 

  2. In Subject Information, give this certificate a Common Name by either Host IP Address, Host Domain Name or E-Mail address. Organizational Unit, Organization, Country are optional fields, you are free to either enter them or not. 

  3. Finally, specify the key length. 

  4. Select Create a certification request and enroll for a certificate immediately online.

  5. Specify the Enrollment Protocol to Simple Certificate Enrollment Protocol (SCEP).

  6. In the "CA Server's Address" field, input the URL to access CA server, for example, http://1.1.1.1:8080/scep/

  7. Choose the previously downloaded CA server's certificate from the drop down list.

  8. Input user name and password if necessary.

  9. Then click Apply.

After pressing the Apply button, ZyWALL would create the certification request and send it to the CA server for enrollment. It may take one minutes to complete the whole process. After CA server agrees to issue the corresponding certificate, you will find a newly enrolled certificate in My Certificates.

Step 3. Create certificate request and enroll certificate request on ZyWALL B    top

  1. Input a name, for this Certificate so you can identify this Certificate later. 

  2. In Subject Information, give this certificate a Common Name by either Host IP Address, Host Domain Name or E-Mail address. Organizational Unit, Organization, Country are optional fields, you are free to either enter them or not. 

  3. Finally, specify the key length. 

  4. Select Create a certification request and enroll for a certificate immediately online.

  5. Specify the Enrollment Protocol to Simple Certificate Enrollment Protocol (SCEP).

  6. In the "CA Server's Address" field, input the URL to access CA server, for example, http://1.1.1.1:8080/scep/

  7. Choose the previously downloaded CA server's certificate from the drop down list.

  8. Input user name and password if necessary.

  9. Then click Apply.

After pressing the Apply button, ZyWALL would create the certification request and send it to the CA server for enrollment. After CA server agrees to issue the corresponding certificate, ZyWALL will receive it automatically, and you will find a newly enrolled certificate in My Certificates.

Step 4. Using Certificate in VPN on ZyWALL A     top

1. Activate the rule
2. Give this VPN rule a name "toZyWALL_B"
3. Select Key Management to "IKE"
4. Select Negotiation Mode to "Main"
5. Edit Local: Address Type="Subnet Address", Starting IP Address="10.1.33.0", End IP Address/Subnet Mask="255.255.255.0"
6. Edit Remote: Address Type="Subnet Address", Starting IP Address="192.168.2.0", End IP Address/Subnet Mask="255.255.255.0"
7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list.
8. Fill in My IP address= "192.168.1.35"
9. Peer ID type= "ANY"
10. Secure Gateway Address= "192.168.1.36"
11. Encapsulation Mode="Tunnel"
12. Leave other options as default.

13. You can check detailed settings by clicking Advanced button.

Step 5. Using Certificate in VPN on ZyWALL B      top

1. Activate the rule
2. Give this VPN rule a name "toZyWALL_A"
3. Select Key Management to "IKE"
4. Select Negotiation Mode to "Main"
5. Edit Local: Address Type="Subnet Address", Starting IP Address="192.168.2.0", End IP Address/Subnet Mask="255.255.255.0"
6. Edit Remote: Address Type="Subnet Address", Starting IP Address="10.1.33.0", End IP Address/Subnet Mask="255.255.255.0"
7. Authentication Key, Select Certificate, and choose certificate you enrolled for this device from drop down list.
8. Fill in My IP address= "192.168.1.36"
9. Peer ID type= "ANY".
10. Secure Gateway Address= "192.168.1.35"
11. Encapsulation Mode="Tunnel"
12. Leave other options as default.

13. You can check detailed settings by clicking Advanced button.