Configure Certificate Server Authentication

You can configure the server to authenticate using any of the following:

  • The local computer certificate stored within the Windows certificate store.
  • A PKCS #12 file (*.pfx or *.p12) that includes both the certificate and the associated private key.
  • A certificate file (*.cer) and its associated private key.

     

Here's a quick summary of the important steps. The details are explained in the procedures that follow.

  1. Configure the server for certificate authentication.
  2. Install the CA root certificate on the client.
  3. (Optional) Configure strict host key checking on the client.

To configure certificate authentication on the Reflection for Secure IT server

  1. Start the server console, and then click Identity.
  2. Select Use host certificate and specify the certificate to use.

    To use

    Do this

    The local computer certificate from the Windows store

    Select Use the local computer certificate from the Windows certificate store. Click Browse to select a certificate from this store.

     

    A certificate in a PKCS#12 file

    Select Use the following certificate, and then in the Private key text box, enter the full path and filename (*.pfx or *.p12).

    The certificate is exported automatically, and the exported file appears in the Certificate text box.

     

    A certificate and its associated private key

    Select Use the following certificate, enter the full path and name of the private key file in the Private key text box, and then specify the full path and name of the certificate file in the Certificate text box.

  3. Save your settings (File > Save Settings).
  4. Restart the server.

The procedure that follows describes how to configure the Reflection for Secure IT Client for Window to use a certificate for host authentication. If you use a different client, refer to your client documentation.

To configure the Reflection for Secure IT Client for Windows

  1. Start Reflection for Secure IT Client for Windows.
  2. Open the Reflection Secure Shell Settings dialog box (Connection > Connection Setup > Security).
  3. Click the PKI tab.
  4. Install the CA root certificate on the client:

    To add the certificate to

    Do this

    The Windows certificate store

    Click View System Certificates, and then import the certificate using the Trusted Root Certification Authorities tab.

    The Reflection certificate store

    Click Reflection Certificate Manager, and then import the certificate using the Trusted Root Certification Authorities tab.

  5. (Optional) To eliminate the risk created by allowing users to accept unknown keys, enforce strict host key checking on the client — from the Host Keys tab of the Secure Shell Settings dialog box, set Enforce strict host key checking to Yes.