Configure PKI Services Manager on Windows

Before Reflection PKI Services Manager can validate certificates you need to customize the default configuration and map files. Use the following procedures to get started. Many additional variations are possible.

To set up your configuration and map files

  1. Log in as an administrator on the computer running PKI Services Manager.
  2. Start the PKI Services Manager console:

    Programs > Attachmate Reflection > Utilities > PKI Services Manager

    Note: On Windows, starting the console or the service for the first time initializes PKI Services Manager. This creates the required data folders and default settings files. If these folders already exist, they are not changed; PKI Services Manager uses your existing data files and folders. (On UNIX the install script automatically initializes PKI Services Manager if required, and starts the service.)

  3. Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location:

    common application data folder\Attachmate\ReflectionPKI\local-store

    (This step is not required if you are using certificates in the Windows store or you have a copy of the trust anchor available somewhere else on your system.)

  4. From the Trusted Chain pane, add your trust anchor (or anchors) to the list of trust anchors.

    To use this store

    Do this

    Your local certificate store or a certificate file on your system


    Click Add. Select either Local store certificate or Certificate file, click Browse and select the certificate for your trust anchor.

    The Windows certificate store

    Under Search order to use when building path to trust anchor, select "Windows certificate store."

    Click Add.

    From the Add Trust Anchor dialog box, select Windows certificate then click Browse to select an available certificate.

    Note: PKI Services Manager uses only those certificates that are installed for use by the local computer (not certificates installed for the current user) and are in either the trusted root certification authorities list or the trusted intermediate authorities list. To view and manage the local computer certificates, use the Microsoft Management Console. Add the Certificates Snap-in and configure it to manage certificates for the computer account.

  5. From the Revocation pane, configure certificate revocation checking.

    Note: By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.

  6. From the Identity Mapper pane, add rules to determine which identities can authenticate with a valid certificate.

    After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.

  7. Click File > Save.
  8. Start the PKI Services Manager service if it isn't already running. If the service is already running, reload your settings (Server > Reload).

Related Topics

Trusted Chain Pane

Revocation Pane

Identity Mapper Pane

pkid_config Configuration File Reference

pki_mapfile Map File Reference