7.5.3 PKI Settings Dialog Box

Use this dialog box to configure PKI settings for ALC, UTS, and T27 terminal sessions.

Verify host name against host certificate name

Specifies whether host name matching is required when validating host certificates. When this setting is enabled (the default), the host name you configure for the path in the TCP/UDP Path Options dialog box must exactly match a host name or IP address entered in either the CommonName or the SubjectAltName field of the certificate.

This setting is required for DOD PKI users.

Validate certificate chain

Specifies whether certificates presented for host authentication are checked to determine if they are valid and signed by a trusted CA.

CAUTION:Disabling this option can make connections vulnerable to man-in-the-middle attacks, which could compromise the security of the connection.

Certificate revocation

Use CRL

Select this option to validate the authenticating certificate by checking it against a digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid.

OCSP

Select this option as an alternative to CRL checking to confirm whether a certificate is valid. OCSP uses the HTTP transport and responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown".OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs.

User authentication certificate

Type the name of a user certificate to use for client authentication, or click Browseto select it from a list of personal certificates available in the Reflection Certificate Manager store and the Windows system store.

Reflection Certificate Manager

Click to import and manage user certificates in the Reflection Certificate Manager.