Configure Certificate Server Authentication

You can configure the server to authenticate using any of the following:

The local computer certificate stored within the Windows certificate store.
A PKCS #12 file (*.pfx or *.p12) that includes both the certificate and the associated private key.
A certificate file (*.cer) and its associated private key.

Here's a quick summary of the important steps. The details are explained in the procedures that follow.

Configure the server for certificate authentication.
Install the CA root certificate on the client.
(Optional) Configure strict host key checking on the client.

To configure certificate authentication on the Reflection for Secure IT server

Start the server console, and then click Identity.

Select Use host certificate and specify the certificate to use.

To use	Do this
The local computer certificate from the Windows store	Select Use the local computer certificate from the Windows certificate store. Click Browse to select a certificate from this store.
A certificate in a PKCS#12 file	Select Use the following certificate, and then in the Private key text box, enter the full path and filename (.pfx or .p12). The certificate is exported automatically, and the exported file appears in the Certificate text box.
A certificate and its associated private key	Select Use the following certificate, enter the full path and name of the private key file in the Private key text box, and then specify the full path and name of the certificate file in the Certificate text box.

To use

Do this

The local computer certificate from the Windows store

Select Use the local computer certificate from the Windows certificate store. Click Browse to select a certificate from this store.

A certificate in a PKCS#12 file

Select Use the following certificate, and then in the Private key text box, enter the full path and filename (*.pfx or *.p12).

The certificate is exported automatically, and the exported file appears in the Certificate text box.

A certificate and its associated private key

Select Use the following certificate, enter the full path and name of the private key file in the Private key text box, and then specify the full path and name of the certificate file in the Certificate text box.

Save your settings (File > Save Settings).
Restart the server.

The procedure that follows describes how to configure the Reflection for Secure IT Client for Window to use a certificate for host authentication. If you use a different client, refer to your client documentation.

To configure the Reflection for Secure IT Client for Windows

Start the Reflection for Secure IT Client for Windows.
Open the Reflection Secure Shell Settings dialog box (Connection > Connection Setup > Security).
Click the PKI tab.

Install the CA root certificate on the client:

To add the certificate to	Do this
The Windows certificate store	Click View System Certificates, and then import the certificate using the Trusted Root Certification Authorities tab.
The Reflection certificate store	Click Reflection Certificate Manager, and then import the certificate using the Trusted Root Certification Authorities tab.

(Optional) To eliminate the risk created by allowing users to accept unknown keys, enforce strict host key checking on the client — from the Host Keys tab of the Secure Shell Settings dialog box, set Enforce strict host key checking to Yes.