PKI Services Manager Overview
Reflection PKI Services Manager provides certificate validation services. One or more centrally managed installations of PKI Services Manager can provide certificate validation services for multiple Attachmate applications.
Applications that use PKI Services Manager for certificate validation are referred to in this guide as PKI Services Manager clients. A PKI Services Manager client can be any of the following:
- A Reflection for Secure IT UNIX or Windows server verifying a certificate presented by an SSH client for user authentication.
- A Reflection for Secure IT UNIX client verifying verifying a certificate presented by an SSH server for host authentication.
- A Reflection X Advantage session verifying a certificate presented for authentication by an X application host.
- The pki-client command line utility, which is provided with PKI Services Manager for testing certificate validation.
How it Works
- A PKI Services Manager client application receives a certificate for authentication from a host or client. Before authentication can continue, the application needs to know that the certificate is valid and can be used for authentication by this host or client.
- The client application connects to PKI Services Manager and uses an installed public key to authenticate the server.
- The client application sends the certificate along with the host or user name to PKI Services Manager.
- PKI Services Manager checks that the certificate uses a supported algorithm, hasn't expired, and is valid for the current use. If these conditions are met, it verifies the chain of trust using your configured trust anchors and available intermediate certificates.
- If required by your configuration, or by conditions set within the certificate, PKI Services Manager checks to be sure that the certificate has not been revoked. Depending on configuration, this check may use Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol responders (OCSP).
- PKI Services Manager uses the mapping rules you have have configured to determine if this host or client user is an allowed identity for this certificate.
- PKI Services Manager replies to the client application, letting it know if the certificate is valid and if the host or client user is an allowed identity for this certificate.
- The PKI Services Manager client application allows or denies authentication of the host or client that presented the certificate based on the information it receives from PKI Services Manager.