Show Contents / Index / Search

Configure Certificate Server Authentication

You can configure the server to authenticate using any of the following:

  • The local computer certificate stored within the Windows certificate store.
  • A PKCS #12 file (*.pfx or *.p12) that includes both the certificate and the associated private key.
  • A certificate file (*.cer) and its associated private key.

     

Here's a quick summary of the important steps. The details are explained in the procedures that follow.

  1. Configure the server for certificate authentication.
  2. Install the CA root certificate on the client.
  3. (Optional) Configure strict host key checking on the client.

To configure certificate authentication on the server

  1. Start the server console, and then click Identity.
  2. Specify the certificate to use.

    To use

    Do this

    The local computer certificate from the Windows store

    Select Use the local computer certificate from the Windows certificate store.

    Note: The certificate in the Windows store must be configured to allow export of the private key.

    To view and manage your certificate use the Microsoft Management Console. The server uses the certificate located under Certificates (Local Computer) > Personal > Certificates.

    A certificate in a PKCS#12 file

    Select Use the following certificate, and then in the Private key text box, enter the full path and file name (*.pfx or *.p12).

    The certificate is exported automatically, and the exported file appears in the Certificate text box.

    A certificate and its associated private key

    Select Use the following certificate, enter the full path and name of the private key file in the Private key text box, and then specify the full path and name of the certificate file in the Certificate text box.

  3. Click File > Save.
  4. The server settings are updated.
  5. Restart the server.

Refer to your client documentation for information about how to configure certificate authentication on the client. The procedure that follows is for the Reflection for Secure IT Windows Client.

To configure the Reflection for Secure IT Windows Client

  1. Open Reflection for Secure IT Windows Client.
  2. Open the Reflection Secure Shell Settings dialog box (Connection > Connection Setup > Security).
  3. Click the PKI tab.
  4. Install the CA root certificate on the client:

    To add the certificate to

    Do this

    The Windows certificate store

    Click View System Certificates, and then import the certificate using the Trusted Root Certification Authorities tab.

    The Reflection certificate store

    Click Reflection Certificate Manager, and then import the certificate using the Trusted Certificate Authorities tab.

  5. (Optional) To eliminate the risk created by allowing users to accept unknown keys, enforce strict host key checking on the client from the Host Keys tab of the Secure Shell Settings dialog box, set Enforce strict host key checking to Yes.