Show Contents / Index / Search

Certificate Authentication Overview

Reflection for Secure IT supports host (server) authentication using certificates.

Certificate authentication solves some of the problems presented by public key authentication. With public key host authentication, the system administrator must either add the host public key for every server to each client's list of known hosts, or count on client users to confirm the host identity correctly when they connect to an unknown host. Certificate authentication avoids this problem by using a trusted third party, called the certification authority (CA), to verify the validity of information coming from the host.

Like public key authentication, certificate authentication uses public/private key pairs to verify the host identity. However, with certificate authentication, public keys are contained within digital certificates, and in this case, two key pairs are used; the host holds one private key and the CA holds a second. The host obtains a certificate from the CA. This certificate contains identifying information about the host, a copy of the host public key, and a digital signature created using the CA's private key. This certificate is sent to the client during the authentication process. To verify the integrity of the information coming from the host, the client must have a copy of the CA's public key, which is contained in the CA root certificate.

Installing CA root certificates to verify the host identity has several advantages over installing and configuring host public keys:

  • A single CA certificate can be used to authenticate multiple servers.
  • Administrators can use Windows Group Policies to install CA certificates on Windows clients.
  • Root certificates for commercially obtained certificates may already be available on client computers. Windows computers have some root certificates pre-installed for use by Internet Explorer. For SSL/TLS connections, Reflection checks for certificates in this certificate store by default.
  • If necessary, the host can obtain a new certificate from the same CA with no change required on client systems.

Related Topics

Certificate Authentication Sequence of Events

Configure Certificate Server Authentication