PKI Settings Migration
Review the information below if you configured certificate authentication using Reflection for Secure IT 6.x or F-Secure. Some certificate settings continue to be supported in Reflection for Secure IT UNIX Client and Server settings files. Others need to be migrated to the Reflection PKI Services Manager settings file. You can use the pkid command with the -m option to migrate settings from Reflection for Secure IT 6.x or F-Secure settings files.
Note: For details about the -m option, refer to the pkid command reference.
The following tables summarize how prior versions settings are handled. The entries under Status describe the effect of prior version keywords in your current version settings files. These entries have the following meanings:
- Supported: The keyword has the same meaning as it did in prior versions.
- Deprecated: The keyword continues to have an effect, but it's meaning may have changed.
- Ignored: The keyword has no effect in current Reflection for Secure IT settings file. These settings need to be migrated to PKI Services Manager settings files. Refer to the migration log for additional information.
- Not supported: The keyword cannot be used in current version settings files. It has no meaning and causes an error if present.
Client Settings
Prior version |
|
|
Equivalent |
|---|---|---|---|
HostCA |
Deprecated |
Yes |
TrustAnchor |
HostCANoCRLs |
Deprecated |
Yes |
TrustAnchor |
HostCertNameCheck |
Supported |
No |
-- |
LDAPServers |
Ignored |
Yes |
CertServers CRLServers (All servers are migrated to both keywords) |
LocalPKI |
Ignored |
Yes |
LocalStore |
OCSPResponder |
Ignored |
Yes |
OCSPResponders |
RevocationChecks |
Ignored |
Yes |
RevocationCheckOrder |
RevocationCA |
Ignored |
Yes |
OcspCertificate |
Server Settings
Prior version |
|
|
Equivalent |
|---|---|---|---|
HostCA |
Deprecated |
Yes |
TrustAnchor |
HostCANoCRLs |
Deprecated |
Yes |
TrustAnchor |
HostCertificateFile |
Supported |
No |
-- |
DynamicMapFile |
Ignored |
Yes |
DynamicFile (This keyword is configured in pki_mapfile.) |
ExternalMapper |
Ignored |
Yes |
Supported in map file rules by using the Extern option in the conditional expression. |
ExternalMapperTimeout |
Ignored |
Yes |
ExternTimeout (This keyword is configured in pki_mapfile.) |
LDAPServers |
Ignored |
Yes |
CertServers CRLServers (All servers are migrated to both keywords) |
LocalPKI |
Ignored |
Yes |
LocalStore |
OCSPResponder |
Ignored |
Yes |
OCSPResponders |
RevocationChecks |
Ignored |
Yes |
RevocationCheckOrder |
RevocationCA |
Ignored |
Yes |
OcspCertificate |
MapFile |
Ignored |
Yes |
MapFile |
OcspMode |
Ignored |
Yes |
RevocationCheckOrder |
PKI |
Ignored |
Yes |
TrustAnchor |
PkiDisableCrls |
Ignored |
Yes |
RevocationCheckOrder =none |
PkiIgnoreBasicConstraints |
Ignored |
Yes |
StrictMode |
SocksServer |
Not supported |
No |
-- |
 |