Certificate Storage

In order to validate certificates, PKI Services Manager must have access to at least one trust anchor A certificate that can be used as the final trust point in a certificate chain of trust. Note: PKI Services Manager validates certificates using only those trust anchors that have been explicitly configured for use by PKI Services Manager. You can configure a trust anchor using a root CA certificate, an intermediate CA certificate, or a self-signed certificate (one which can only validate itself). and may also require access to additional, intermediate certificates. One available option for storing both trust anchors and intermediate certificates is the PKI Services Manager local store. The default store location is:

Windows: common application data folder The application data folder is hidden by default. The default is: \ProgramData\ \Attachmate\ReflectionPKI\local-store

UNIX: /opt/attachmate/pkid/

You can modify this location and/or add additional stores. To do this from the console, use the Local Store pane. In the pki_config file, use the LocalStore keyword.

Trust Anchors

The trust anchor must be located on the computer running PKI Services Manager. PKI Services Manager can retrieve trust anchors from:

  • A certificate file

  • A PKCS#7 file

  • (On Windows systems) The Windows Certificate Store

NOTE:

  • Trust anchors that are stored within a PKCS#7 file must be placed in the PKI Services Manager local store.

  • Trust anchors that are stored as certificate files can be in the local store, but this is not required.

  • If you configure PKI Services Manager to use the Windows store, it uses only those certificates that are installed for use by the local computer, not certificates installed for the current user. To view and manage the local computer certificates, use the Microsoft Management Console, and add the Certificates (Local Computer) Snap-in.

After your trust anchors are installed on the PKI Services Manager host, you must explicitly specify which trust anchors you want PKI Services Manager to use for certificate validation. PKI Services Manager cannot validate any certificate until the correct trust anchor for that certificate has been added to this list. To configure trust anchors from the console, use the Trusted Chain pane. To configure trust anchors using the pki_config file, use the TrustAnchor keyword.

Intermediate Certificates

Depending on your configuration, PKI Services Manager can retrieve intermediate certificates from one or more of the following:

NOTE:

  • Certificates in the local store and in LDAP or HTTP servers can be stored as certificate files, or within a PKCS#7 file.

  • PKI Services Manager can support LDAP servers that respond with more than one certificate. PKI Services Manager will determine the correct certificate to use when building a certificate path.

To configure which locations PKI Services Manager searches from the console, use Trusted Chain pane. In the pki_config file, use the CertSearchOrder and CertServers keywords.