Server Certificate Authentication Overview

Certificate authentication is a form of public key authentication that solves some of the problems presented by public key authentication. With public key host authentication, the system administrator must either add the host public key for every server to each client's list of known hosts, or count on client users to confirm the host identity correctly when they connect to an unknown host. Certificate authentication avoids this problem by using a trusted third party, called the certification authority (CA), to verify the validity of information coming from the host. With certificates, you can configure authentication using a single trust anchor instead of multiple unique server public keys.

Reflection PKI Services Manager supports central management of PKI settings. You can install and configure a single instance of PKI Services Manager to provide certificate validation services for all supported Attachmate products.




Reflection PKI Services Manager must be installed and correctly configured.

PKI Services Manager validates the certificate and uses a map file to determine which servers can authenticate with a valid certificate. You need to configure at least one trust anchor and one mapping rule for certificate validation to succeed. You may also need to configure access to intermediate certificates and to certificate revocation information.


A certificate signed by a CA and the associated private key must be installed on the server.

The server sends this certificate to the client to authenticate the server.

The Reflection for Secure IT UNIX client must have a copy of the PKI Services Manager public key and be configured to connect to PKI Services Manager.

The client communicates with PKI Services Manager to confirm the validity of the server certificate.

How it Works

  1. The Reflection for Secure IT server presents a certificate to the client for server authentication.
  2. The Reflection for Secure IT client connects to Reflection PKI Services Manager. (Set the server name and port for this connection using the Reflection for Secure IT client PkidAddress keyword.)
  3. Reflection for Secure IT verifies the identity of PKI Services Manager using an installed public key. (Set the key name and location using the Reflection for Secure IT client PkidPublicKey keyword.)
  4. Reflection for Secure IT sends the certificate and the server name to PKI Services Manager.
  5. PKI Services Manager determines if the certificate is valid and whether the server is allowed to authenticate with this certificate based on the rules the PKI Services Manager administrator has configured in the PKI Services Manager map file (/opt/attachmate/pkid/config/pki_mapfile by default). This information is returned to Reflection for Secure IT.
  6. If the certificate is valid and the server presenting it is an allowed identity for this certificate, server authentication is successful.

Related Topics

Configure Server Certificate Authentication

Configure Certificate Authentication for Users

winpki and pkid Command Reference

pkid_config Configuration File Reference

pki_mapfile Map File Reference