Show Contents / Index / Search

Digital Certificates in SSL/TLS Sessions

Before making an SSL/TLS connection, Reflection must authenticate the host (server). In addition, some servers may also require the user (client) to present a certificate for user authentication. When Reflection is configured to use SSL/TLS security, authentication is handled with digital certificates. These certificates are part of the same Public Key Infrastructure (PKI) that is used to secure internet transactions.

Your computer must be configured to recognize the digital certificate presented by your host and, if necessary, to provide a certificate for client authentication. If your computer is not properly configured, or if the certificates presented for authentication are not valid, you will not be able to make SSL/TLS connections.

Depending on how your digital certificates are issued, you may need to install certificates on your computer before you can connect using SSL/TLS security.

  • If your host certificates were acquired from a well-known certification authority (CA), such as VeriSign or Thawte, and you have configured Reflection to support host authentication using the Windows system certificate store, you do not need to install any host certificates on your computer. A certificate identifying the issuer as a trusted CA should already be included in the Trusted Root Certification Authorities list on your system.
  • If you have configured Reflection to require authentication using the Reflection store, each client computer must import required CA certificate(s) into the Reflection Certificate Manager.
  • If your enterprise has created its own certification authority, each client computer must import the root certificate for your CA. Depending on your configuration, import it into either the Windows or Reflection certificate store.
  • If the host creates its own self-signed certificates, each client computer must install any needed certificates. Depending on your configuration, import them into either the Windows or Reflection certificate store.
  • If the host requires a client certificate for user authentication, you need to import the personal certificate. You can use either the Reflection or the Windows personal certificate store.

    Note: By default, Certificate host name must match host being contacted is enabled in the PKI Configuration dialog box. When this setting is enabled, the host name you configure in Reflection must exactly match one of the host names entered in the either the CommonName or the SubjectAltName fields of the certificate. If you are using a hosts file, check to be sure that the name in your hosts file exactly matches the name in the certificate.