Skip to content

Configure Certificate Server Authentication

You can configure the server to authenticate using any of the following:

  • A local computer certificate stored within the Windows certificate store.

  • A PEM file (*.pem) that includes both the certificate chain and the associated private key.

  • A PKCS #12 file (*.pfx or *.p12) that includes both the certificate chain and the associated private key.

  • A certificate file (*.cer) and its associated private key.

Prerequisites

If you are using computer certificates stored within the Windows certificate store, you must make sure that the root and intermediate certificates are present in the Windows store before proceeding.

You can use the Windows tool, certlm.msc , to add the certificates to the Windows store. Make sure:

  • The host certificate is imported into the Personal certificates store

  • All intermediate certificates are imported into the Intermediate Certification Authorities store

  • The root certificate is imported into the Trusted Root Certification Authorities store

Basic listitems:

  1. Configure the server for certificate authentication.

  2. Install the CA root certificate on the client.

  3. (Optional) Configure strict host key checking on the client.

To configure certificate authentication on the Reflection for Secure IT server

  1. Start the server console, and then click Identity .

  2. Select Use host certificate and specify the certificate to use.

    To use Do this
    The local computer certificate from the Windows store Select Use the local computer certificate from the Windows certificate store. Click Browse to select a certificate from this store.
    A certificate chain and private key in a PEM file Select Use the following certificate, and then in the Private key text box, enter the full path and filename (*.pem).

    The certificate is not exported.

    The same file name appears in the Certificate text box.
    A certificate and its associated private key Select Use the following certificate, enter the full path and name of the private key file in the Private key text box, and then specify the full path and name of the certificate file in the Certificate text box.

  3. Save your settings ( File > Save Settings ).

  4. Restart the server.

The procedure that follows describes how to configure the Reflection for Secure IT Client for Windows to use a certificate for host authentication. If you use a different client, refer to your client documentation.

To configure the Reflection for Secure IT Client for Windows

  1. Start the Reflection for Secure IT Client for Windows.

  2. Open the Reflection Secure Shell Settings dialog box (Connection > Connection Setup > Security).

  3. Click the PKI tab.

  4. Install the CA root certificate on the client:

    To add the certificate to Do this
    The Windows certificate store Click View System Certificates, and then import the certificate using the Trusted Root Certification Authorities tab.
    The Reflection certificate store Click Reflection Certificate Manager, and then import the certificate using the Trusted Root Certification Authorities tab.

  5. (Optional) To eliminate the risk created by allowing users to accept unknown keys, enforce strict host key checking on the client, from the Host Keys tab of the Secure Shell Settings dialog box, set Enforce strict host key checking to Yes.

How to convert between PKCS #12 and PEM formats

The server supports both PKCS #12 (*.pfx or *.p12) and PEM formats. Note that PKCS #12 files cannot be used by the server when it is running in FIPS mode. You can convert these files using the openssl program that is installed with the server.

Convert to PEM:

For modern PKCS #12 files the conversion command is: 

"C:\Program Files\Micro Focus\RSecureServer\openssl" pkcs12 -in your.p12 -out your.pem -noenc
For PKCS #12 files that contain older encryption, the conversion command is: 
"C:\Program Files\Micro Focus\RSecureServer\openssl" pkcs12 -in your.p12 -out your.pem -noenc -legacy -provider-path "C:\Program Files\Micro Focus\RSecureServer\ossl-modules"

Info

The -noenc flag causes the private key file to be written to the PEM file without password.

Convert to PKCS #12:

To create modern PKCS #12 files the conversion command is: 

"C:\Program Files\Micro Focus\RSecureServer\openssl" pkcs12 -export -in your.pem -out your.p12
To create PKC #12 files that contain older encryption, the conversion command is: 
"C:\Program Files\Micro Focus\RSecureServer\openssl" pkcs12 -export -in your.pem -out your.p12 -legacy -provider-path "C:\Program Files\Micro Focus\RSecureServer\ossl-modules"