Show Contents / Index / Search

PKI Overview

A Public Key Infrastructure (PKI) is a system that helps facilitate secure communications through the use of digital certificates. Reflection supports the use of a PKI for host and user authentication during Secure Shell and SSL/TLS sessions.


Authentication is the process of reliably determining the identity of a communicating party. Identity can be proven by something you know (such as a password), something you have (such as a private key or token), or something intrinsic about you (such as a fingerprint). In a typical Telnet session to a remote host, the user authenticates with a password, but the host is not authenticated. More secure protocols, including Secure Shell and SSL/TLS, require host authentication. In both Secure Shell and SSL/TLS sessions, host authentication is accomplished using public key cryptography. In addition, both session types can also be configured to use public key cryptography for user authentication.

Public Key Cryptography

Public key cryptography uses a mathematical algorithm with a public/private key pair to encrypt and decrypt data. One of the keys is a public key, which can be freely distributed to communicating parties, and the other is a private key, which should be kept secure by the owner of the key. Data encrypted with the private key can be decrypted only with the public key; and data encrypted with the public key can be decrypted only with the private key.

When keys are used for authentication, the party being authenticated creates a digital signature using the private key of a public/private key pair. The recipient must use the corresponding public key to verify the authenticity of the digital signature. This means that the recipient must have a copy of the other party's public key and trust in the authenticity of that key.

Digital certificates

Digital certificates are an integral part of a PKI (Public Key Infrastructure). Certificates are issued by a certification authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted.

Digital certificate stores

Digital certificates are maintained on your computer in certificate stores. A certificate store contains the certificates you use to confirm the identity of remote parties, and may also contain personal certificates, which you use to identify yourself to remote parties. Personal certificates are associated with a private key on your computer.

Reflection can be configured to use digital certificates located in either or both of the following stores:

  • The Windows Certificate Store

    This store can be used by a number of applications, including Reflection, web browsers, and mail clients. Some certificates in this store are included when you install the Windows operating system. Others may be added when you connect to internet sites and establish trust, when you install software, or when you receive an encrypted or digitally signed e-mail. You can also import certificates manually into your Windows store. Manage the certificates in this store using the Windows Certificate Manager.

  • The Reflection Certificate Store

    This store is used only by Reflection applications. To add certificates to this store, you must import them manually. You can import certificates from files and also use certificates on hardware tokens such as smart cards. Manage the certificates in this store using the Reflection Certificate Manager.

Reflection applications can be configured to authenticate using only those certificates located in Reflection store, or using both the Windows and the Reflection store. Enabling host authentication using the Windows certificate store means that you may not need to import certificates, because authentication may be accomplished using certificates that are already available. Disabling authentication using the Windows certificate store enables you to have greater control over which certificates are used for authentication. For more information, see Enabling or Disabling authentication using the Windows certificate store.

PKI in Reflection sessions

Reflection sessions support PKI authentication for both Secure Shell and SSL/TLS sessions.

  • All SSL/TLS sessions require certificates for host authentication; without the necessary certificate, you cannot make a host connection. Depending on the host configuration, you may also need to install certificates for user authentication. For more information, see Digital Certificates in SSL/TLS Sessions.
  • Secure Shell sessions typically require both host and user authentication. Certificates can be used for either host and/or user authentication, but are not required by default. For more information, see Digital Certificates in Secure Shell Sessions.