Configuring Windows Systems
Start and Stop the PKI Services Manager Service
Tip
The PKI Services Manager service starts automatically when you restart Windows.
You can choose any one of these options to start or stop the service:
To start the service |
|
To stop the service |
|
You can check the service status by one of these options:
-
Start the PKI Services Manager console and look for status information on the status line at the bottom of the console window
-
From a DOS command window, enter the following command:
winpki ping
-
Open the Windows Services console (Control Panel >Administrative Tools > Services) and view the status of Micro Focus Reflection PKI Services Manager.
Configure PKI Services Manager
Before PKI Services Manager can validate certificates you need to customize the default configuration and map files. Use the following procedures to get started. Many additional variations are possible.
Note
On Windows, starting the console or the service for the first time initializes PKI Services Manager. This creates the required data folders and default settings files. If these folders already exist, they are not changed; PKI Services Manager uses your existing data files and folders. (On UNIX the install script automatically initializes PKI Services Manager if required, and starts the service.)
To set up your configuration and map files:
-
Log in as an administrator and start PKI Services Manager console:
Programs > Micro Focus Reflection > Utilities > PKI Services Manager
-
Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location:
ProgramData\Micro Focus\ReflectionPKI\local-store\
This step is not required if you are using certificates in the Windows store or you have a copy of the trust anchor available somewhere else on your system.
-
From the Trusted Chain pane, add your trust anchor (or anchors) to the list of trust anchors.
To use this store Do this Your local certificate store or a certificate file on your system Click Add. Select either Local store certificate or Certificate file, click Browse and select the certificate for your trust anchor. The Windows certificate store Under Search order to use when building path to trust anchor, select "Windows certificate store." Click Add. From the Add Trust Anchor dialog box, select Windows certificate then click Browse to select an available certificate. -
From the Revocation pane, configure certificate revocation checking.
By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.
-
From the Identity Mapper pane, add rules to determine which identities can authenticate with a valid certificate.
After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.
-
Click File > Save.
-
Start the PKI Services Manager service if it isn't already running. If the service is already running, reload your settings (Server > Reload).
Note
PKI Services Manager uses only those certificates that are installed for use by the local computer (not certificates installed for the current user) and are in either the trusted root certification authorities list or the trusted intermediate authorities list. To view and manage the local computer certificates, use the Microsoft Management Console. Add the Certificates Snap-in and configure it to manage certificates for the computer account.
More information
- Trusted Chain Pane
- Revocation Pane
- Identity Mapper Pane
- pkid_config Configuration File Reference
- pki_mapfile Map File Reference
Save, Reload, and Restart on Windows
After you make changes using the PKI Services Manager console, you need to save these changes in order to update the configuration and map files.
Tip
Saved changes do not affect subsequent certificate validation requests until you either reload your settings or restart the service.
The following settings require a restart:
- Private key location
- PKI server address
- Enforce DOD PKI settings
- FIPS mode
- Maximum log files
- Log output to file
All other settings changes require a reload.
- To save modified settings: File > Save
- To reload modified settings: Server > Reload
Note
Reloading the configuration also clears the internal in-memory caches used for downloading certificates and CRLs. Although certificate and CRL lifetimes are honored by the cache, it might be necessary to clear these manually if a certificate or CRL has been updated at its source before it has expired.
To restart the service
The server restarts automatically when you restart Windows, or use either of the following:
- From the PKI Services Manager console, click Server > Stop, then Server > Start. -or-
- From a DOS command window, enter the following command:
winpki restart
Check Validity and Mapping on Windows
You can test whether a user or server certificate is valid and determine which identities are allowed to authenticate with that certificate. To be valid, a certificate must be signed by a trusted CA (one that is a member of a chain of trust that extends to a trust anchor that you have configured) and it must pass all other validation checks (for example, it must not be expired or revoked and all required intermediate certificates must be available).
Note
The certificate validation test applies only to end-entity certificates, not CA certificates. Valid CA-signed root and intermediate certificates will not pass the validation test.
To test certificates from the console
- Start the PKI Services Manager console: Programs > Micro Focus Reflection > Utilities > PKI Services Manager
- From the Utility menu, select Test Certificate.
- Click Browse.
- Select a certificate location, then click Browse to select an available certificate from that location.
- Click Test.
To test certificates from the command line
-
Open a DOS command window and navigate to the program folder. The default is:
64-bit systems:
C:\Program Files\Micro Focus\ReflectionPKI
-
Use winpki validate to test certificates. Refer to these examples:
To Use this command Check if the certificate test.cer is valid winpki validate \path\test.cer
Check if the certificate is valid and if the server abc.com can authenticate with test.cer winpki validate \path\test.cer -t abc.com
Check if the certificate is valid and if the user joe can authenticate with test.cer winpki validate \path\test.cer -u joe
See which identities can authenticate with test.cer winpki validate \path\test.cer -w
More information
- Certificate Attribute Requirements Enforced by PKI Services Manager