Show Contents / Index / Search

General Pane

Getting there

Note: You need to restart the server for some changes on this pane to take effect. For details, see the Notes section below.

The options are:

Private key location

The path to the private key used to verify the identify of Reflection PKI Services Manager. If this doesn't point to a valid key, the service won't start.

PKI server address

The address and port on which PKI Services Manager listens for validation requests. The syntax is host:port.

You can specify the host name using either an IP address or a host name. IP addresses can be in either IPv4 or IPv6 format. IPv6 addresses must be enclosed in square brackets, for example [::D155:AB63]:18081. The default is, which configures the server to listen on port 18081 using any available network adapter.

Enforce DOD PKI settings

Enforces settings that meet United States Department of Defense PKI requirements.

When this option is selected, the service will not start unless the following conditions are met:

FIPS mode is selected
Allow MD5 signed certificates is not selected
Allow MD2 signed certificates is not selected
Allow version 1 certificates is not selected
Search order to use when building path to trust anchor does not include "Windows certificate store"
Search order to use for revocation has at least one option selected and does not include "None".

FIPS mode

Enforces security protocols and algorithms that meet FIPS 140-2 standards.

Allow MD5 signed certificates

Allow certificates signed using the MD5 hash even when FIPS mode is enabled.


Allow MD2 signed certificates

Allow certificates signed using the MD2 RSA hash.

Allow version 1 certificates

Allow X.509 version 1 certificates to be used as trust anchors.

Note: Intermediate certificates must be version 3 regardless of the value of this setting.

Client debugging

Specifies whether or not debug messages are sent to the application that is requesting certificate validation.

Log output to file

Log files are created daily and saved to a directory called logs located in the PKI Services Manager data directory.


Maximum log files

Specifies the maximum number of log files to create. A new log file is automatically created daily. When the maximum is reached, the oldest log is removed.

Log level

Specifies the amount of information sent to the log. The log can contain both auditing messages (labeled "[audit]"), and debug messages (labeled "[debug]"). Auditing messages provide information about both successful and unsuccessful validation attempts. Debug messages are designed to help in troubleshooting.

The default log level is "Error". At this level, auditing messages are sent to the log, but debug messages are sent only if a PKI Services Manager error occurs, generally because PKI Services Manager is not correctly configured. The other options include audit messages plus increasing levels of detail in the debug messages.

Select None to turn off logging.


  • Changes made on this pane are saved to the PKI Services Manager configuration file (pki_config).
  • Changes made on this pane do not take effect until you reload the settings (Server > Reload) or restart the server.
  • Changes to the following settings require a restart: Private key location, PKI server address, DOD PKI mode, FIPS mode, Allow MD5 signed certificates, Allow MD2 signed certificates, Maximum log files, or Log output to file.

Related Topics