8.4.1 PKI and Certificates

A Public Key Infrastructure (PKI) is a system that helps facilitate secure communications through the use of digital certificates. You can use of a PKI for both host and user authentication.

Like public key authentication, certificate authentication uses public/private key pairs to verify the host identity. However, with certificate authentication, public keys are contained within digital certificates, and in this case, two key pairs are used. For example, for server authentication, the host holds one private key and the CA holds a second. The host obtains a certificate from the CA. This certificate contains identifying information about the host, a copy of the host public key, and a digital signature created using the CA's private key. This certificate is sent to the client during the authentication process. To verify the integrity of the information coming from the host, the client must have a copy of the CA's public key, which is contained in the CA root certificate. There is no need for the client to have a copy of the host public key.

Certificate authentication solves some of the problems presented by public key authentication. For example, for host public key authentication, the system administrator must either distribute host keys for every server to each client's known hosts store, or count on client users to confirm the host identity correctly when they connect to an unknown host. When certificates are used for host authentication, a single CA root certificate can be used to authenticate multiple hosts. In many cases the required certificate is already available in the Windows certificate store.

Similarly, when public keys are used for client authentication, each client public key must be uploaded to the server and the server must be configured to recognize that key. When certificate authentication is used, a single CA root certificate can be used to authenticate multiple client users.

Certificate stores

Digital certificates are maintained on your computer in certificate stores. A certificate store contains the certificates you use to confirm the identity of remote parties, and may also contain personal certificates, which you use to identify yourself to remote parties. Personal certificates are associated with a private key on your computer.

You can use digital certificates located in either or both of the following stores:

  • The Windows Certificate Store

    This store can be used by a number of applications, web browsers, and mail clients. Some certificates in this store are included when you install the Windows operating system. Others may be added when you connect to internet sites and establish trust, when you install software, or when you receive an encrypted or digitally signed e-mail. You can also import certificates manually into your Windows store. Manage the certificates in this store using the Windows Certificate Manager.

  • The Reflection Certificate Store

    This store is used only by Micro Focus applications. To add certificates to this store, you must import them manually. You can import certificates from files and also use certificates on hardware tokens such as smart cards. Manage the certificates in this store using the Reflection Certificate Manager.

You can configure authentication to use only those certificates located in Reflection Certificate Manager store, or using both the Windows and the Reflection Certificate Manager store. Enabling host authentication using the Windows certificate store means that you may not need to import certificates, because authentication may be accomplished using certificates that are already available. Disabling authentication using the Windows certificate store enables you to have greater control over which certificates are used for authentication. To enable or disable authentication with the Windows Certificate store, open the Reflection Certificate Manager and click the Trusted Certificate Authorities tab.

PKI in Terminal and FTP Client sessions

PKI authentication is supported in both Secure Shell and SSL/TLS sessions.

  • All SSL/TLS sessions require certificates for host authentication; without the necessary certificate, you cannot make a host connection. Depending on the host configuration, you may also need to install certificates for user authentication.

  • Secure Shell sessions typically require both host and user authentication. Certificates can be used for either host and/or user authentication, but are not required by default