To configure client host authentication using certificates, you need to install and configure Reflection PKI Services Manager. Use the following procedure to get started. Many variations are possible. For more information about each of the steps below, see the Reflection PKI Services Manager User Guide, which is available from the PKI Services Manager console, and from http://support.attachmate.com/manuals/pki.html.
Before you begin
Determine which trusted CA certificate and intermediate certificates are needed to validate the certificate that will be presented by the host you are connecting to. PKI Services Manager can use certificate files that you copy to your system, or trusted root certificates installed to the Windows certificate store for use by the local computer.
Determine how certificate revocation checking should be handled for the host certificate. You can configure PKI Services Manager to use CRL lists, OCSP responders, or to contact a CRL distribution point specified within the certificate.
To configure PKI Services Manager
Log in as an administrator on the computer running PKI Services Manager.
Start the PKI Services Manager console:
> > >
Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. For example:
C:\ProgramData\Attachmate\ReflectionPKI\local-store
(This step is not required if you are using certificates in the Windows store or you have a copy of the trust anchor available somewhere else on your system.)
From the
pane, add your trust anchor (or anchors) to the list of trust anchors.
To use this store |
Do this |
---|---|
Your local certificate store or a certificate file on your system |
Click . Select either or click and select the certificate for your trust anchor. |
The Windows certificate store |
Under , select "Windows certificate store."Click .From the Add Trust Anchor dialog box, select then click to select an available certificate.NOTE:PKI Services Manager uses only those certificates that are installed for use by the local computer (not certificates installed for the current user) and are in either the trusted root certification authorities list or the trusted intermediate authorities list. To view and manage the local computer certificates, use the Microsoft Management Console. Add the Certificates Snap-in and configure it to manage certificates for the computer account. |
From the
pane, configure certificate revocation checking.NOTE:By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
From the
pane, click to determine which client hosts can authenticate with a valid certificate.For example, to allow client hosts to connect if the host name is specified in the Common Name value of the certificate's Subject field:
Set
to Host CertificateClick the drop-down arrow for
and select Subject Common Name.Refer to the PKI Services Manager documentation for additional information about mapping rules.
Click
> .Start the PKI Services Manager service if it isn't already running. If the service is already running, reload your settings ( > ).