Enabling and Disabling Use of the Windows Certificate Store

Secure Shell and SSL/TLS sessions support the use of digital certificates An integral part of a PKI (Public Key Infrastructure). Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted. for both host and user authentication. Reflection applications can be configured to authenticate using only those certificates located in Reflection Certificate Manager store, or using both the Windows and the Reflection Certificate Manager store.

Host authentication

Enabling use of the Windows certificate store means that you may not need to import the certificates used for host authentication. If your host certificates were acquired from a well-known (CA), such as VeriSign or Thawte, a certificate identifying the issuer as a trusted CA should already be included in the Trusted Root Certification Authorities list on your system. When use of the system store is enabled, InfoConnect clients look for certificates in both the Reflection Certificate Manager store and the Windows system store.

Disabling use of the Windows certificate store enables you to have greater control over which certificates are used for authentication. Certificates can be added to the Windows store in a variety of ways, and you may not want to allow use of all of these certificates for authenticating InfoConnect sessions. When use of the Windows store is disabled, only those certificates you have imported into the Reflection Certificate Manager store are used for host authentication.

To enable (or disable) host authentication using certificates in the Windows store:

  1. Open the Reflection Certificate Manager.

  2. Click the Trusted Certificate Authorities tab.

  3. Select (or clear) Use System Certificate Store for SSH connections and/or Use System Certificate Store for SSL/TLS connections.

User authentication

InfoConnect uses personal certificates in the Windows store and the Reflection Certificate Manager store in the same way. Available personal certificates include those in the Windows personal store, the Reflection personal store, and certificates on configured hardware tokens (for example smart cards).

  • If you have configured a Secure Shell session, you must specify which certificates to use for user authentication from the User Keys tab in the Secure Shell settings dialog box.

  • If you have configured a SSL/TLS session, all certificates located in either store are automatically available for user authentication.