Certificate Storage

In order to validate certificates, PKI Services Manager must have access to at least one trust anchor and may also require access to additional, intermediate certificates. One available option for storing both trust anchors and intermediate certificates is the PKI Services Manager local store. The default store location is:

Windows: common application data folder\Attachmate\ReflectionPKI\local-store

UNIX: /opt/attachmate/pkid/

You can modify this location and/or add additional stores. To do this from the console, use the Local Store pane. In the pki_config file, use the LocalStore keyword.

Trust Anchors

The trust anchor must be located on the computer running PKI Services Manager. PKI Services Manager can retrieve trust anchors from:

• A certificate file
• A PKCS#7 file
• (On Windows systems) The Windows Certificate Store

Notes:

• Trust anchors that are stored within a PKCS#7 file must be placed in the PKI Services Manager local store.
• Trust anchors that are stored as certificate files can be in the local store, but this is not required.
• If you configure PKI Services Manager to use the Windows store, it uses only those certificates that are installed for use by the local computer, not certificates installed for the current user. To view and manage the local computer certificates, use the Microsoft Management Console, and add the Certificates (Local Computer) Snap-in.

After your trust anchors are installed on the PKI Services Manager host, you must explicitly specify which trust anchors you want PKI Services Manager to use for certificate validation. PKI Services Manager cannot validate any certificate until the correct trust anchor for that certificate has been added to this list. To configure trust anchors from the console, use the Trusted Chain pane. To configure trust anchors using the pki_config file, use the TrustAnchor keyword.

Intermediate Certificates

Depending on your configuration, PKI Services Manager can retrieve intermediate certificates from one or more of the following:

• The PKI Services Manager local store
• An LDAP or HTTP server
• Any location specified in the AIA extension of the certificate being presented

  The AIA extension is a field within a certificate that contains a Uniform Resource Identifier (URI) used to locate an item required to validate this certificate. The URI can point to an OCSP responder or to a certificate from the issuing Certificate Authority (CA).

• (On Windows systems) The Windows Certificate Store

Notes:

• Certificates in the local store and in LDAP or HTTP servers can be stored as certificate files, or within a PKCS#7 file.
• PKI Services Manager can support LDAP servers that respond with more than one certificate. PKI Services Manager will determine the correct certificate to use when building a certificate path.

To configure which locations PKI Services Manager searches from the console, use Trusted Chain pane. In the pki_config file, use the CertSearchOrder and CertServers keywords.