I know that you can add SSH certificates for client/server authentication for the web interface and SSL VPN, but is there a way to change the SSL cert that the web interface sends to the browser just for HTTPS?
I have toyed with the certificates and the CSRs that you can generate, but what I'd really like to do is upload my own CSR and key (and maybe even certificate) and have the box use that, since it's a signed cert. The only reason I ask here is because the Zyxel documentation is extremely lacking and I've found nothing so far…
Any advice?
Best Answer
From my prior (limited) experience with Zyxel gear I remember that the certificate handling only allowed for a key/CSR combination to be generated on the USG. You would have forward the USG-generated CSR to your CA for signing and pass back the signed certificate into the USG. After the corresponding certificate has been placed in your certificate store, you should be able to use it for TLS as well as IPSec.
It is rather common for security devices (e.g. smart cards) to not let you upload (or download, for that matter) the private key for security reasons, so I never questioned the USG approach. Netscreen/Juniper gear, which Zyxel is trying to mimic, does the same AFAIR.